thinking-parliament
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection vulnerability surface in SKILL.md. The skill aggregates user input and search results into a shared context that is then interpolated into prompts for five different LLM agents.
- Ingestion points: User input variable $PROBLEM and context file 00-context.md (containing data from codebase, documentation, memory, and sessions indexes).
- Boundary markers: The skill uses simple text headers to separate roles and context, but does not employ secure delimiters or explicit 'ignore instructions' markers to prevent the model from obeying instructions embedded in the retrieved data.
- Capability inventory: Orchestrates multiple subprocesses using lev exec and node, with the ability to write deliberation artifacts to the local filesystem.
- Sanitization: No input validation or sanitization is performed on the data retrieved from semantic search before it is passed to the LLMs.
- [COMMAND_EXECUTION]: The skill uses dynamic shell command construction in SKILL.md to handle problem keywords and dispatch agents.
- Evidence: Employs shell subshells and variable interpolation (e.g., $(echo $PROBLEM | ...) and lev exec ... $PROBLEM) which allows user-controlled or data-controlled content to influence command arguments.
- Behavior: Spawns multiple parallel background processes using the ampersand operator and manages their completion with wait.
Audit Metadata