agentic-research-orchestration
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests and processes data from external web sources which is then relayed to other agents.
- Ingestion points: The orchestrator receives URLs, scraped content, and findings from the ExaAI and Firecrawl specialist agents during the Active Orchestration loop (Phase 4).
- Boundary markers: While the skill uses structured communication formats (SendMessage) to relay data, there are no explicit boundary markers or instructions to sub-agents to ignore embedded instructions within the processed web content.
- Capability inventory: The system has the capability to spawn new sub-agents (Task tool), write files to the local disk, execute local shell scripts (zsh-tool), and send network notifications via Gotify.
- Sanitization: The skill performs relevance and quality tier filtering on URLs, but it does not describe any sanitization or validation of the actual content fetched from the web to prevent instruction injection.
- [COMMAND_EXECUTION]: The skill uses local shell commands and pre-existing scripts to manage research data and generate reports.
- Evidence: The workflow includes calls to
mkdir -pfor directory management and scripts such asnlm-generate.sh,nlm-download.sh, andquery.shfor artifact handling and database querying. It explicitly requires the use ofpty: truefor tool execution. - [EXTERNAL_DOWNLOADS]: The documentation references standard external packages and CLI tools required for the research workflow.
- Evidence: The README.md instructs the user to install
@firecrawl/clivia npm andnotebooklm-pyvia pip. These are legitimate tools for the intended functionality.
Audit Metadata