paseo-orchestrator
Warn
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the paseo CLI to perform sensitive operations, including
paseo runwith elevated privileges (--mode bypassPermissions) andpaseo schedule createfor establishing persistent heartbeat tasks. - [PROMPT_INJECTION]: The orchestrator is vulnerable to indirect prompt injection because agents process untrusted data from chat rooms and the codebase. (1) Ingestion points: Agents read full histories from chat rooms via
paseo chat read. (2) Boundary markers: No delimiters or instructions to ignore embedded commands are present in the logic. (3) Capability inventory: Agents can execute sub-agents with full access and bypassed permissions. (4) Sanitization: No validation or escaping of external chat content is implemented before it influences agent behavior.
Audit Metadata