task-orchestration
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (LOW): The skill uses behavioral triggers (e.g.,
/orchestrate:spawn) that interpret user input to define agent personas and strategies. This instruction-following design is susceptible to manipulation if a user provides specifically crafted text to override the orchestration logic. - Indirect Prompt Injection (LOW): The skill acts as a meta-orchestrator, creating a significant injection surface.
- Ingestion points: Files
references/spawn.mdandreferences/task.mdaccept arbitrary user input via[complex-task]and[action]parameters. - Boundary markers: The delegation templates do not show the use of delimiters (like triple quotes or XML tags) to wrap user input, nor do they include instructions for the agent to ignore instructions embedded within the user data.
- Capability inventory: The skill coordinates powerful tools including
Task(for spawning new agents),Bash(for shell execution), andRead/Write/Edit(for file system modification). - Sanitization: There is no mention of escaping or validating user input before passing it to sub-agents or the Bash shell.
- Command Execution (LOW): Documentation in
references/spawn.mdexplicitly encourages the use of theBashtool for system-level operations. While necessary for the skill's stated purpose of 'Meta-System Orchestration', the use of shell tools alongside un-sanitized user input increases the overall risk profile.
Audit Metadata