workflow-orchestrator
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill features a Fast-Track mode and Agent Teams mode that ingest user-provided task specifications and configuration files. Because the Fast-Track mode skips early review phases and manual approval gates, it introduces a risk of indirect prompt injection where malicious instructions embedded in specifications could be executed automatically. (Ingestion points: User tasks, spec files, project config; Boundary markers: Absent; Capability inventory: Bash, Write, Edit, Subagent creation; Sanitization: Absent)
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute local scripts like team-bridge.cjs and merge-team-logs.sh for managing workflow state and logs. These scripts are not included in the skill package, meaning their behavior cannot be verified.
- [DATA_EXFILTRATION]: The skill is configured to read sensitive project information from the .claude/ directory, including project-config.yaml and workflow logs. It also has the capability to send notifications via Slack, which provides a network channel that could potentially be used to transmit project data.
Audit Metadata