orchestrator
Warn
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's instructions explicitly recommend using the
--dangerously-skip-permissionsflag when invoking sub-agents. This practice bypasses built-in security prompts, allowing the agent to perform actions without explicit user confirmation. - [REMOTE_CODE_EXECUTION]: The skill configuration and instructions rely on the execution of Python scripts (
agent_orchestrator.pyandswarm_run.py) that reside outside the skill's root directory via relative paths (../../../scripts/). This creates a dependency on external code that is not contained within the skill's own distribution. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it accepts untrusted user triggers to determine complex routing logic and generate downstream task packets.
- Ingestion points: Untrusted user input enters the workflow through the primary 'trigger' assessment described in
SKILL.md. - Boundary markers: There are no defined delimiters or instructions to treat user triggers as untrusted data when generating planning artifacts.
- Capability inventory: The orchestrator has powerful capabilities including
Bashexecution,Read/Writefile access, and the ability to spawn and control sub-agents. - Sanitization: The instructions lack any requirement for input validation or escaping before user-provided content is incorporated into task packets.
Audit Metadata