orchestrator
Fail
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the command 'claude --dangerously-skip-permissions' to launch sub-agents. This flag disables security boundaries and permission checks, allowing the sub-agent to perform potentially harmful actions on the host system without user approval.
- [COMMAND_EXECUTION]: The skill automates complex system interactions, including managing background tmux sessions and writing executable prompt files, which run without direct human interaction or oversight.
- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection (Category 8). It ingests content from external YAML files and skill indexes and directly interpolates them into the prompts for weavers.
- Ingestion points: Untrusted data is read from '.claude/vertical/plans//specs/*.yaml' and 'skill-index/index.yaml'.
- Boundary markers: While XML-style tags are used (e.g., ), there are no instructions to the sub-agent to ignore potential command overrides within that content.
- Capability inventory: The skill can spawn new sessions, write files to the repository and /tmp, and execute other AI agents with bypassed permissions.
- Sanitization: There is no evidence of content validation, escaping, or sanitization of the external data before it is placed into a prompt.
Recommendations
- AI detected serious security threats
Audit Metadata