arbiter
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): Vulnerable to Indirect Prompt Injection through untrusted human/bot feedback.
- Ingestion points: The skill reads markdown files from
~/.arbiter/queue/usingreadFileSyncandreaddirSyncinsrc/utils.ts. These files are populated by an external review bot. - Boundary markers: There are no boundary markers or instructions to the agent to ignore embedded commands within the 'answer' fields parsed from markdown.
- Capability inventory: The agent uses results from
arbiter_getto make architectural decisions, approve plans, and proceed with potentially high-privilege tasks. Malicious input in the decision queue could hijack this logic. - Sanitization: Absent.
src/utils.tsuses basic regex (/^answer:\s*(.+)$/m) to extract values, which does not prevent command or prompt injection. - COMMAND_EXECUTION (MEDIUM): Path Traversal in decision plan creation.
- Evidence: In
src/push.ts, theagentvariable is incorporated directly into a filename and joined to a path usingpath.joinwithout sanitization. An attacker controlling theagentparameter (via injection in a previous agent step) could use values like../../to write files to arbitrary locations. - Impact: While file extensions are limited to
.md, this allows unauthorized file creation in sensitive directories (e.g.,~/.ssh/config.mdor~/.bashrc.md).
Recommendations
- AI detected serious security threats
Audit Metadata