project-orchestrator
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): Phase 6 and 7 involve executing dynamically generated commands such as 'npm install [packages]', 'pip install', and '[framework init command]'. These packages are not hardcoded and are determined by the agent at runtime, which could lead to the installation of malicious software if the decision-making process is compromised.
- Indirect Prompt Injection (LOW): This skill has a significant attack surface for indirect prompt injection.
- Ingestion points: Phase 2 involves 'Repository analysis (3-5 reference repos)' where the agent reads content from external, potentially untrusted GitHub repositories.
- Boundary markers: None. There are no instructions to the agent to ignore or delimit instructions found within the reference repositories.
- Capability inventory: The agent can execute shell commands, install packages, write files to the local filesystem (e.g.,
.rulesync/rules/), and initialize Git repositories. - Sanitization: None. The skill does not implement validation or escaping for the data retrieved from external repositories before using it to define the tech stack or initialization commands.
- Dynamic Execution (MEDIUM): The skill generates and executes shell scripts and configuration files at runtime (Phase 6). It also executes 'npm run ai:sync' and custom test commands, which are high-privilege operations in a development environment.
Audit Metadata