got-controller
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- Indirect Prompt Injection (LOW): The skill operates as a high-level orchestrator that manages and synthesizes untrusted content from multiple sub-agents into a unified graph state.
- Ingestion points: Data enters the system via nodes representing findings from parallel research agents.
- Boundary markers: The instructions use Markdown tables and structured logging for state management, which provides some structural separation, but they lack explicit 'ignore embedded instructions' delimiters for the research content being aggregated.
- Capability inventory: The skill has the capability to spawn new agents (
Task Tool) and write data to the local file system (Read/Writetool for persistence), creating a potential path for data from an untrusted source to influence subsequent actions. - Sanitization: There is no explicit logic provided for sanitizing or filtering input received from the sub-agents during the 'Aggregate' or 'Refine' operations.
- Data Exposure & Exfiltration (SAFE): The skill references writing state to
research_notes/got_graph_state.md. This is a localized, non-sensitive path used for its intended purpose of graph persistence. No access to sensitive credentials, system configurations, or unauthorized network exfiltration was detected. - Unverifiable Dependencies (SAFE): The skill uses internal workspace tools (Task, TodoWrite, Read/Write) rather than downloading external packages or executing remote scripts.
Audit Metadata