sequential-orchestration
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses highly directive language such as 'CRITICAL CONSTRAINTS (NEVER VIOLATE)' and 'HIGHEST PRIORITY' to ensure the agent follows the orchestration loop. While this is an internal control mechanism for the workflow, it uses linguistic patterns similar to those found in instruction override attempts.
- [PROMPT_INJECTION]: The orchestrator exhibits a vulnerability surface for indirect prompt injection. * Ingestion points: Task descriptions and details are extracted from 'tasks.md' via 'spec_parser.py' and used in 'dispatch_task.py'. * Boundary markers: Prompts in 'dispatch_task.py' use standard markdown headers (e.g., '## Your Task') but do not include explicit 'ignore embedded instructions' warnings for the interpolated data. * Capability inventory: The skill executes tasks via 'codeagent-wrapper', which has the capability to perform file operations and shell commands. * Sanitization: No validation, escaping, or filtering is applied to the content of 'tasks.md' before it is interpolated into the task prompts.
- [COMMAND_EXECUTION]: The Python scripts 'dispatch_task.py' and 'sequential_loop.py' utilize 'subprocess.run' to invoke an external utility named 'codeagent-wrapper'. The resolution logic in 'codeagent_utils.py' dynamically searches for this executable in several system and user-controlled paths, including '
/.local/bin' and '/.claude/bin'.
Audit Metadata