ai-orchestrator
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides procedural instructions and Python/TypeScript examples for executing system commands. For instance,
examples/iterative-loop.mdcontains a Python script that usessubprocess.runto execute git commands and manages an autonomous execution loop.\n- [PROMPT_INJECTION]: TheSKILL.mdandREADME.mdfiles contain rigid behavioral instructions, such as 'This skill NEVER does work itself' and 'The orchestrator identity is non-negotiable,' which are intended to override the default operating mode of the AI agent.\n- [EXTERNAL_DOWNLOADS]: The skill refers to external documentation sources includingcode.claude.com,opencode.ai, andgeminicli.com. It instructs the agent to fetch updated information from these URLs using aWebFetchtool if the provided references are insufficient.\n- [CREDENTIALS_UNSAFE]: The documentation mentions the use of sensitive environment variables for authentication, such asANTHROPIC_API_KEYandOPENCODE_SERVER_PASSWORD. It also references the--dangerously-skip-permissionsflag for the Claude Code CLI, which bypasses security confirmation prompts.\n- [INDIRECT_PROMPT_INJECTION]: The skill functions as a gateway that takes user-provided tasks and interpolates them into prompts for other AI agents.\n - Ingestion points: User requests captured in the 'compose the prompt' step of
SKILL.md.\n - Boundary markers: Absent; the skill does not define specific delimiters or instructions to prevent downstream agents from being influenced by malicious instructions within the user-provided goals.\n
- Capability inventory: The skill facilitates file writing, shell execution via
subprocess, and network operations through the delegated agents and SDKs.\n - Sanitization: No sanitization or validation of the user-provided prompt content is performed before delegation.
Audit Metadata