coordinator
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the
workmuxCLI to manage background processes and execute shell commands within separate git worktrees. Theworkmux runcommand allows for the execution of arbitrary shell commands in those environments, which is a powerful capability necessary for the skill's orchestration role. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) because it acts as a relay for instructions and data. It captures the output of sub-agents and reads local specification files to generate subsequent prompts and commands.
- Ingestion points: Captured output from sub-agents via
workmux captureand contents of local markdown files (plans, specs) read viaReadtool. - Boundary markers: The instructions do not specify any delimiters or safety markers to isolate captured sub-agent output from the coordinator's own logic.
- Capability inventory: Access to
Bashand the ability to spawn/control multiple concurrent Claude sessions with file write/run permissions. - Sanitization: There is no evidence of sanitization or filtering of text captured from sub-agents before it is used to generate new prompt files or instructions.
Audit Metadata