multi-perspective
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted research questions and project context without adequate protection.
- Ingestion points: User-provided research questions and project context are ingested via $ARGUMENTS and referenced files in SKILL.md (Phase 1).
- Boundary markers: The skill lacks boundary markers or explicit instructions for sub-agents to ignore embedded commands within the interpolated research question and context blocks.
- Capability inventory: The skill uses Read, Write, Edit, Glob, Grep, Task, and AskUserQuestion tools. The Task tool allows spawning further agents with their own capabilities.
- Sanitization: No sanitization, escaping, or validation is performed on the input data before it is inserted into the prompt templates for sub-agents in Phases 3 and 3.5.
- [COMMAND_EXECUTION]: The skill describes a 'Council Mode' that requires executing a shell command to invoke a local multi-model orchestration tool.
- Evidence: SKILL.md specifies an invocation command:
uv run python -m cli_councilwhich is executed after changing the directory topackages/cli-council.
Audit Metadata