oma-orchestrator
Warn
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The orchestrator is configured to execute sub-agents (including Gemini, Claude, and Codex) with flags that explicitly disable safety guardrails and human-in-the-loop approvals. As seen in 'config/cli-config.yaml', these include '--approval-mode=yolo', '--dangerously-skip-permissions', and '--full-auto'.
- [PROMPT_INJECTION]: The skill implements a workflow that takes user-provided requests and decomposes them into autonomous tasks for sub-agents, creating an indirect injection surface. 1. Ingestion points: User requests enter the system during the planning phase in 'SKILL.md'. 2. Boundary markers: The 'resources/subagent-prompt-template.md' uses simple interpolation for the '{TASK_DESCRIPTION}' field without secure delimiters. 3. Capability inventory: The sub-agents have the ability to create/modify files and execute CLI tools. 4. Sanitization: No input validation or sanitization is applied to the tasks before they are assigned to agents.
- [COMMAND_EXECUTION]: Multiple shell scripts ('scripts/spawn-agent.sh', 'scripts/parallel-run.sh', 'scripts/verify.sh') are used to directly execute the 'oh-my-ag' CLI tool with arguments passed from the orchestrator logic.
Audit Metadata