debate-protocol
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection vulnerability surface within its multi-agent orchestration logic.
- Ingestion points: The
SKILL.mdfile defines aTask Prompt Templateused in Phase 1 that interpolates thecontext_summary,scope, anddomainsparameters directly from the caller-provideddebate_input. - Boundary markers: While the template uses markdown headers (e.g.,
## Phase 1: Independent Investigation) to provide structure, it lacks explicit delimitation or instructions to the LLM to ignore or escape instructions contained within the interpolated variables. - Capability inventory: The skill spawns sub-agents with access to the
Read,Write,Task, andBashtools, creating a risk of unauthorized actions if a sub-agent follows instructions injected via thescopeorcontext_summaryfields. - Sanitization: There is no evidence of input validation, sanitization, or escaping for the strings processed by the prompt template.
- [COMMAND_EXECUTION]: The skill includes instructions to execute shell commands that exceed the specifically defined tool restrictions.
- Evidence: In
SKILL.md, theallowed-toolssection restrictsBashtomkdir *. However, thePhase 5andExecution Instructionssections include commands forls -tandqmd collection add. While these specific tools are for local file management and are not inherently malicious, their inclusion in the instructions suggests the agent may attempt to bypass the restricted tool manifest.
Audit Metadata