autonomous-orchestrator
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill's global rules in
AGENTS.mdinstruct the agent to usesudoor the Windowsrunas /user:Administratorcommand for operations requiring elevated privileges, allowing for administrative actions on the host system.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core autonomous loop involves continuously reading and processing work from external, untrusted sources.\n - Ingestion points: Processes data from GitHub issues, pull request reviews, notifications, and entire repository contents.\n
- Boundary markers: No explicit delimiters or isolation instructions are defined to separate untrusted data from the agent's logic.\n
- Capability inventory: The orchestrator has broad capabilities including file modification, shell command execution, and sub-agent spawning.\n
- Sanitization: Relies on a high-level behavioral review checklist rather than input-level sanitization.\n- [PROMPT_INJECTION]: The skill employs behavioral persistence by using rule files (
AGENTS.md) as persistent memory. It is instructed to autonomously update these rules and its own behavioral instructions across sessions to fix gaps or redundancy.\n- [EXTERNAL_DOWNLOADS]: The skill downloads and installs various CLI tools and packages from the author's scope at runtime, including@metyatech/task-tracker,@metyatech/thread-inbox, andcompose-agentsmd.
Audit Metadata