agent-orchestration-planner
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill demonstrates a pattern of interpolating untrusted data directly into prompts, creating a significant attack surface for indirect prompt injection.
- Ingestion points: Untrusted user input enters the agent context through the 'query' variable in 'select_tools' and via 'state.get_context()' (conversation history) in 'build_planning_prompt'.
- Boundary markers: Absent. The query is placed inside standard quotes within an f-string (e.g., 'Given this query: "{query}"'), which can be easily escaped by an attacker to inject malicious instructions.
- Capability inventory: The orchestrator is designed to execute tools with significant side effects, including 'query_database' and 'call_api', making an injection attack potentially high-impact.
- Sanitization: No sanitization, escaping, or schema validation for the interpolated content is present in the provided code snippets.
Recommendations
- AI detected serious security threats
Audit Metadata