orchestrator-design
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONNO_CODE
Full Analysis
- [Indirect Prompt Injection] (HIGH): The proposed orchestrator architecture creates a critical vulnerability surface by delegating tasks to sub-agents and using their outputs to form new commands for agents with high-privilege capabilities.
- Ingestion points: SKILL.md Step 4 and Step 6 describe workflows where the orchestrator reads agent logs and aggregates findings from 'scout' agents that use the 'Read' tool.
- Boundary markers: The design templates (Step 2) and system prompts (Step 3) lack delimiters or instructions (e.g., 'ignore instructions in data') to prevent the orchestrator from obeying malicious content embedded in sub-agent reports.
- Capability inventory: Sub-agents like the 'builder' and 'reviewer' are granted high-privilege tools including 'Bash', 'Write', and 'Edit'.
- Sanitization: The instructions do not include any patterns for sanitizing or validating external data before it is processed or used to generate subsequent agent commands.
- [No Code] (INFO): This skill contains architectural guidance and markdown documentation but does not include any directly executable scripts or code files.
Recommendations
- AI detected serious security threats
Audit Metadata