multi-agent-orchestration
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The orchestrator extracts task descriptions and requirements from external files (
tasks.md,requirements.md) and interpolates them directly into agent prompts without sanitization. - Ingestion points:
tasks.md,requirements.md, anddesign.mdare read to populate the---CONTENT---section of task configurations for worker agents. - Boundary markers: Absent. The skill uses simple block delimiters but fails to escape or sanitize the untrusted content from the markdown files.
- Capability inventory: The downstream agents (Codex, Gemini) have capabilities to execute shell commands and modify the filesystem via the
codeagent-wrappertool. - Sanitization: No sanitization or validation of the ingested markdown content is performed before it is sent to the LLM backend.
- Insecure Binary Resolution (HIGH): The utility script for locating the
codeagent-wrapperbinary uses an insecure search order. - Evidence:
scripts/codeagent_wrapper_utils.pysearches for the executable in the current working directory (Path.cwd()) and user-writable paths like~/.local/binand~/bin. - Risk: An attacker who can place a file in the project directory can execute arbitrary code with the agent's privileges by providing a malicious binary named
codeagent-wrapper. - Command Execution (MEDIUM): The prompt instructions (
dispatch-task.md,spawn-review.md) explicitly direct the agent to execute shell commands and pipe dynamically generated configurations into a subshell. While intended for orchestration, the combination with unsanitized external input creates a high-risk surface for command injection.
Recommendations
- AI detected serious security threats
Audit Metadata