Council
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions explicitly direct the agent to dynamically load and apply resources (such as PREFERENCES.md and other configurations) from a local path (~/.opencode/skills/CORE/USER/SKILLCUSTOMIZATIONS/Council/) to override default behavior. This mechanism allows for runtime modification of the skill's logic based on files present in the user's home directory.
- [COMMAND_EXECUTION]: The skill utilizes shell commands (
curl) to perform network operations targetinglocalhost:8888for notifications. This creates a pattern of unauthenticated local inter-process communication via the shell. - [PROMPT_INJECTION]: The skill contains a large attack surface for indirect prompt injection within its debate workflows. It ingests arbitrary user-provided 'Topics' and interpolates them, along with generated transcripts, into prompts for multiple specialized sub-agents across three distinct rounds.
- Ingestion points: User-provided 'Topic' input in
Workflows/Debate.mdandWorkflows/Quick.md. - Boundary markers: None. User input and round transcripts are interpolated directly into agent prompts without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill can execute shell commands (
curl) and trigger various specialized sub-agents including 'Pentester' (Security) and 'Architect' roles. - Sanitization: There is no evidence of sanitization, validation, or escaping of the user-provided topic or the intermediary agent responses before they are fed into subsequent rounds.
Audit Metadata