do-and-judge

The SKILL.md file was analyzed for all 9 threat categories. No malicious patterns were detected. The skill is purely instructional and does not contain any executable code, shell commands, or direct network operations. It describes a high-level process for an AI orchestrator to manage other AI sub-agents and judges.

• Prompt Injection: The 'CRITICAL' markers found are instructions to the orchestrating AI or its sub-agents, guiding their behavior and ensuring structured output, rather than attempts to inject malicious prompts into the orchestrator itself. The skill's design, with structured prompts and self-critique for sub-agents, aims to mitigate prompt injection risks within the sub-agent interactions.
• Data Exfiltration: No commands or patterns indicative of data exfiltration (e.g., curl, wget, sensitive file paths like ~/.ssh/id_rsa) were found.
• Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected.
• Unverifiable Dependencies: The skill refers to sdd plugin agents and general-purpose agents, which are internal references within the agent system, not external software dependencies requiring installation or download.
• Privilege Escalation: No commands related to privilege escalation (e.g., sudo, chmod, system file modifications) were found.
• Persistence Mechanisms: No patterns for establishing persistence (e.g., modifying .bashrc, crontab) were detected.
• Metadata Poisoning: The name, description, and argument-hint fields were checked and found to be benign.
• Indirect Prompt Injection: While the skill processes user-provided task descriptions and outputs from other agents, which are potential vectors for indirect prompt injection in any LLM system, the skill's design explicitly includes mechanisms to mitigate this. It instructs the orchestrator to 'Parse only VERDICT/SCORE/ISSUES from judge output' and 'DO NOT read full report' to avoid context pollution. The structured prompts for sub-agents and the judge verification loop further reduce the likelihood of malicious instructions being executed unnoticed.
• Time-Delayed / Conditional Attacks: No time-delayed or conditional attack patterns were identified.

Overall, the skill is a well-structured set of instructions for an AI orchestration process. Its design incorporates several best practices for managing AI agent interactions and verifying outputs, which contributes to its safety.