orchestrator
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to execute arbitrary commands on the host system by spawning sub-processes for various LLM CLI tools via wrapper scripts like
scripts/spawn-agent.shandscripts/parallel-run.sh.- [COMMAND_EXECUTION]: Inconfig/cli-config.yaml, the skill explicitly configures multiple LLM providers (Gemini, Claude, Codex, Qwen) to operate in 'yolo', 'dangerously-skip-permissions', or 'full-auto' modes. These flags intentionally bypass the standard user approval process for actions like file system modification or network access.- [PROMPT_INJECTION]: Theresources/subagent-prompt-template.mdfile interpolates{TASK_DESCRIPTION}and{ACCEPTANCE_CRITERIA}directly into the prompt without sanitization, creating a surface for direct instruction override if the task source is manipulated.- [PROMPT_INJECTION]: The skill possesses a significant indirect prompt injection surface: - Ingestion points: The orchestrator reads untrusted data from
task-board.md,progress-{agent-id}.md, andresult-{agent-id}.md. - Boundary markers: No delimiters or 'ignore embedded instructions' warnings are present in the prompt templates when reading these shared memory files.
- Capability inventory: The orchestrator can spawn processes, write files, and execute parallel agents via the
oh-my-agtool. - Sanitization: No evidence of validation, escaping, or filtering of external content exists before processing agent-generated results or updating session metrics.
Audit Metadata