orchestrator
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill's 'Dual-Loop' architecture is susceptible to indirect prompt injection. It reads context files and instructions using the
agent_orchestrator.pyscript and interpolates them into markdown 'Strategy Packets' without sanitization. \n - Ingestion points: Files and strings provided via
--contextand--instructionsarguments to thepacketandcorrectcommands.\n - Boundary markers: Weak. The
STRATEGY_TEMPLATEuses standard Markdown headers which do not reliably isolate instructions from potentially malicious untrusted data.\n - Capability inventory: The Inner Loop agent is granted access to the terminal, editor, and test runners to execute tasks based on the generated packets.
agent_orchestrator.pyexecutes git commands viasubprocess.run.\n - Sanitization: Absent. No escaping or validation is performed on the content of context files before prompt interpolation.\n- [PROMPT_INJECTION]: The skill documentation in
SKILL.mdexplicitly references the--dangerously-skip-permissionsflag for theclaude-cli-agent, which encourages bypassing standard security prompts and user authorization checks during sub-agent execution.\n- [COMMAND_EXECUTION]: Theagent_orchestrator.pyscript usessubprocess.runto execute system commands such asgit status. While the command list is currently limited, the execution context (working directory) is derived from user-provided path arguments.\n- [COMMAND_EXECUTION]: Reference documentation incli-agent-executor.mdpromotes shell command patterns that pipe data between the filesystem and external CLI engines (e.g.,cat <PERSONA> | <CLI_ENGINE> < <INPUT> > <OUTPUT>), which increases the risk of malicious shell instruction execution if file paths or persona prompts are manipulated.
Audit Metadata