multi-agent-orchestration
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill's SKILL.md file contains a 'CRITICAL CONSTRAINTS' section that uses high-priority markers ('override all other instructions', 'NEVER VIOLATE') to enforce fully automated execution. This is explicitly designed to bypass human-in-the-loop confirmations during a long-running orchestration process (up to 2 hours), increasing the risk if the agent is misled by external data.
- [REMOTE_CODE_EXECUTION]: The orchestration scripts rely on an external executable named
codeagent-wrapper. The skill searches for this tool in various locations, including the system PATH and folders associated with Claude tools (e.g.,~/.claude/bin). This utility is the primary agent for executing code and managing state during orchestration tasks. - [COMMAND_EXECUTION]: Several scripts, including
orchestration_loop.pyanddispatch_batch.py, use thesubprocessmodule to launch local Python scripts and the wrapper binary. The system also leveragestmuxto manage parallel execution environments. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8) by processing task descriptions from a
tasks.mdfile and including them in prompts for other agents. - Ingestion points:
scripts/spec_parser.pyreads and parsestasks.mdinto JSON data structures. - Boundary markers: Absent; descriptions and details from the tasks are interpolated into prompt templates without protective delimiters.
- Capability inventory: The system can execute arbitrary code via
codeagent-wrapper, write to the project file system, and manage terminal sessions. - Sanitization: No validation or escaping is applied to the content extracted from
tasks.mdbefore it is sent to worker or review agents.
Audit Metadata