saga-orchestrator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The orchestrator is designed to ingest untrusted specification data from YAML files in the 'docs/specs/' directory. This content is used to drive sub-agent tasks via the 'runSubagent' function without any boundary markers or sanitization, creating a direct path for Indirect Prompt Injection. Ingestion point: Specification files in 'docs/specs/'. Boundary markers: Absent from sub-agent dispatch prompts. Capability inventory: Coordination of 'command-sub-agent' and 'reactor-sub-agent' which handle state changes and code generation. Sanitization: No validation or escaping of input data is present.
- [COMMAND_EXECUTION] (HIGH): The orchestrator manages agents with the capability to perform state-changing operations and generate code. An attacker who can provide a malicious specification file can exploit the orchestration flow to perform unauthorized actions or inject malicious logic into the generated system components.
Recommendations
- AI detected serious security threats
Audit Metadata