orchestrator
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of system-level tools including the
Bashtool,tabz_spawn_profile, andtabz_send_keysto execute commands such as git merges, worktree deletions, and npm builds across various models. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the processing of external task data.
- Ingestion points: Untrusted data enters the agent context through issue descriptions fetched via
mcp__beads__showin SKILL.md. - Boundary markers: The skill lacks delimiters or explicit instructions to treat interpolated issue details as data rather than instructions when passing them to sub-agents like Haiku or Codex.
- Capability inventory: The orchestrator has significant control over the environment, including shell access via
Bashand the ability to send input to terminal sessions (file: SKILL.md). - Sanitization: There is no evidence of validation or sanitization of the
details.descriptionfield before it is interpolated into model prompts.
Audit Metadata