orchestration
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill employs authoritative and absolute language designed to override the agent's standard operational constraints. Evidence includes terms like 'MANDATORY', 'UNBREAKABLE', 'Iron Law', and 'Iron Claw'. These patterns are characteristic of jailbreak-style instructions intended to force priority over the system prompt.
- Indirect Prompt Injection (MEDIUM): The skill implements a 'Task Type Detection' system (Step 2) that maps user-controllable request patterns (e.g., 'trading', 'deploy', 'fix') to the loading of specific markdown files.
- Ingestion points: User request patterns in Step 2.
- Boundary markers: None identified; no delimiters or instructions to ignore content within the mapped domains.
- Capability inventory: The skill manages 'Worker' spawning, 'Tool ownership', and external process invocation (
rlm-process). - Sanitization: No validation or sanitization of user-provided keywords before triggering the domain-specific logic.
- Command Execution (LOW): The skill metadata explicitly lists
rlm-processunder theinvokeskey. While the exact function is not defined in this file, it indicates a capability to trigger external processes as part of the orchestration workflow. - Persistence Mechanisms (MEDIUM): The inclusion of a 'Memory recovery protocol' and 'Post-compact recovery' suggests a design intended to persist state and instructions across context window resets or session boundaries, which can be used to maintain malicious state.
Audit Metadata