agent-orchestrator
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing metadata from external SKILL.md files located in the filesystem. An attacker who can place a SKILL.md file in a scanned directory could potentially include malicious instructions in the name or description fields, which are then parsed and included in the orchestration plan presented to the agent.
- Ingestion points: scripts/scan_registry.py recursively crawls directories to find and read SKILL.md files.
- Boundary markers: The orchestration plans generated in scripts/orchestrate.py do not include delimiters or warnings to ignore instructions contained within the skill metadata.
- Capability inventory: The skill utilizes subprocess.run to execute local scripts and manages a JSON-based registry of identified skills.
- Sanitization: While the skill uses yaml.safe_load() for parsing, it does not sanitize or validate the natural language content of the metadata against prompt injection patterns.
- [COMMAND_EXECUTION]: The match_skills.py script executes the scan_registry.py script via subprocess.run to ensure the registry is up to date. This execution is confined to the project's own Python scripts using the current environment's Python interpreter.
Audit Metadata