workflow-orchestrator
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes several standard development and security auditing tools, including
git,npm,pip,semgrep, andgitleaks. These commands are used to manage code branches, install dependencies, and perform security sweeps during the session initialization and end-of-day protocols. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes various local project files that could be manipulated to influence agent behavior.
- Ingestion points: The orchestrator reads
PROJECT_CONTEXT.md,CLAUDE.md,PLANNING.md, andBacklog.mdduring session starts to establish project context (as seen inSKILL.mdandreference/start-day-protocol.md). - Boundary markers: Content from these files is interpolated into the agent context without the use of explicit boundary markers or directives to ignore embedded instructions.
- Capability inventory: The orchestrator has access to powerful tools including file system manipulation, package managers, and the capability to spawn and coordinate subagents.
- Sanitization: No validation or sanitization mechanisms were identified for the content ingested from the project documentation.
Audit Metadata