llm-council
Pass
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill instructions direct the agent to autonomously scan the workspace and read potentially sensitive files for context enrichment without explicit per-file user consent.
- Evidence: Step 1A explicitly mentions searching for and reading files such as
memory/folders, revenue data, audience profiles, and business details usingGlobandReadcalls to inform the advisors. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by design as it interpolates untrusted workspace content into sub-agent prompts.
- Ingestion points:
CLAUDE.md,memory/folder, and arbitrary workspace context files are read in Step 1A. - Boundary markers: The prompt templates use
---delimiters to separate context from instructions, but these can be bypassed by adversarial content in the files. - Capability inventory: The agent can read workspace files, write HTML/Markdown files, and spawn sub-agents to process and synthesize content.
- Sanitization: No sanitization, escaping, or filtering of the ingested content is specified before interpolation into sub-agent prompts.
- [COMMAND_EXECUTION]: The skill generates and automatically opens HTML reports in the user's environment which could contain malicious scripts if the source data is poisoned.
- Evidence: Step 5 instructs the agent to generate
council-report-[timestamp].htmlusing content from the council session and then open the file for the user. Malicious content ingested from the workspace could execute scripts when rendered in a browser.
Audit Metadata