booth
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill architecture relies on an orchestrator agent processing natural language alerts and reports from worker agents, creating a path for indirect prompt injection. \n
- Ingestion points: The DJ agent consumes alerts from /booth-alert and reads report bodies via the booth reports CLI as detailed in references/signals.md and references/cli.md. \n
- Boundary markers: There are no specified delimiters or instructions to ignore instructions within reports, increasing the risk of the orchestrator following commands embedded in worker output. \n
- Capability inventory: The DJ agent possesses capabilities to spin, send prompts to, and kill other agent sessions via the booth CLI. \n
- Sanitization: No evidence of sanitization or validation of the ingested worker content is provided in the operational protocols. \n- [COMMAND_EXECUTION]: The skill utilizes automation features that reduce human oversight. It specifically automates the approval of 'Plan Mode' exits and utilizes flags like --dangerously-skip-permissions in worker sessions, allowing agents to perform tasks with fewer manual confirmation steps.
Audit Metadata