agent-orchestrator
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerability to indirect prompt injection via the 'macro task' input. The orchestrator decomposes untrusted input into instructions for sub-agents (Phase 1) without sanitization, boundary markers, or instruction-following constraints.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill dynamically generates sub-agent definitions (SKILL.md) and executes them using the 'Task' tool (Phase 3). This allows malicious inputs to define the operational logic of the spawned agents.
- [COMMAND_EXECUTION] (HIGH): Sub-agent templates for 'Code' and 'Analysis' agents include unrestricted access to the Bash tool. Additionally, the orchestrator executes local scripts (scripts/create_agent.py) via python3, which could be exploited if pathing or naming is controlled by an attacker.
- [DATA_EXFILTRATION] (MEDIUM): The 'Research Agent' template provides web access tools (WebSearch/WebFetch). Combined with the capability to read local files, an injected sub-agent could be used to exfiltrate sensitive information to an attacker-controlled server.
Recommendations
- AI detected serious security threats
Audit Metadata