dev-orchestrator
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill employs highly forceful, imperative language to override the agent's standard decision-making processes (e.g., "YOUR NEXT ACTION... MUST include", "If you find yourself doing anything else... you are bypassing the workflow. Stop. Go back."). This is designed to prevent the agent from using alternative tools or manual strategies.
- [COMMAND_EXECUTION]: The skill instructs the agent to use
tmuxto launch detached background sessions. This is a deliberate technique to bypass platform constraints, specifically mentioned as a way to circumvent the 10-minute execution limit (Issue #2909) of the host environment'srun_in_backgroundtool. - [COMMAND_EXECUTION]: It manipulates environment variables by unsetting
CLAUDECODE(env -u CLAUDECODE) to bypass restrictions that prevent nesting agent sessions. - [COMMAND_EXECUTION]: The skill provides commands to identify and terminate processes by PID via
tmux list-sessionsandkill, which allows for unauthorized process lifecycle management. - [COMMAND_EXECUTION]: The orchestrator dynamically executes Python code from the repository's
srcdirectory (PYTHONPATH=src), relying on external modules likeamplihack.recipesand an undisclosed Rust binary to perform its core functions. - [DATA_EXPOSURE]: The skill creates and manages state files and logs in the
/tmp/directory (/tmp/recipe-runner-output.XXXXXX.logand/tmp/amplihack-session-trees/), which could lead to data leakage or manipulation if permissions are not strictly handled by the underlying system.
Audit Metadata