paseo-orchestrate
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically constructs and executes shell commands using variables like
<task-slug>(e.g.,cat ~/.paseo/plans/<task-slug>.md). If these identifiers are derived from user-supplied task descriptions without robust sanitization, it could lead to directory traversal or command injection when interpreted by the shell. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from multiple sources to influence its orchestration logic and the prompts it sends to sub-agents.
- Ingestion points: The skill reads user input from
$ARGUMENTS, activity logs from sub-agents via theget agent activitytool, and implementation plans stored in the~/.paseo/plans/directory. - Boundary markers: No explicit delimiters or boundary markers are used when interpolating external content or agent findings into subsequent prompts.
- Capability inventory: The skill possesses high-privilege capabilities including the ability to launch agents (
create agent), send instructions to them (send agent prompt), schedule recurring tasks (create schedule), and execute arbitrary shell commands (Bashtool). - Sanitization: There is no evidence of sanitization, filtering, or validation of the content gathered from sub-agents before it is integrated into the orchestrator's decision-making process or passed to other agents.
Audit Metadata