orchestrating-teams
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The instructions explicitly direct the host agent to 'never perform file reading or analysis' and immediately delegate all reasoning to a sub-agent, overriding standard operational guardrails.
- [COMMAND_EXECUTION]: The workflow depends on an unverified external CLI tool named 'codex' (
codex exec) to review and validate generated implementation plans. - [COMMAND_EXECUTION]: The skill mandates spawning sub-agents with the
bypassPermissionsflag enabled. This removes mandatory human-in-the-loop authorization for sensitive actions, such as file system modifications, performed by those sub-agents. - [PROMPT_INJECTION]: Raw, un-sanitized user requests are directly interpolated into the planner agent's prompt. This creates a path for indirect prompt injection where the planner generates a plan that controls the subsequent behavior of all worker agents based on untrusted input.
- Ingestion points:
INSTRUCTIONS.md(Phase 1, Step 2). - Boundary markers: None; user input is directly concatenated into the sub-agent prompt.
- Capability inventory: The 'planner' agent can write plan files, and 'implementer' agents have full file system access with bypassed permissions.
- Sanitization: No sanitization or validation of user-supplied text is performed.
Audit Metadata