agent-orchestrator
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection. It decomposes a 'macro task' (untrusted external input) into subtasks and interpolates these descriptions directly into dynamically generated SKILL.md files and instructions.md files for sub-agents.
- Ingestion points: The 'macro task' input in SKILL.md and subtask objectives in references/sub-agent-templates.md.
- Boundary markers: Absent. The skill uses standard f-string interpolation without delimiters or instructions to ignore embedded commands.
- Capability inventory: Sub-agents are granted access to the Bash tool, file system operations (Read/Write/Edit), and WebSearch.
- Sanitization: Absent. There is no evidence of validation or escaping for the strings being placed into the sub-agent skills.
- [COMMAND_EXECUTION]: Several sub-agent templates in references/sub-agent-templates.md explicitly grant the 'Bash' tool capability. Specifically, the 'Code Agent' is designed to 'Execute commands, run tests', the 'Analysis Agent' to 'Run Python/analysis scripts', and the 'Integration Agent' to 'Run merge/diff tools'.
- [COMMAND_EXECUTION]: The orchestrator itself executes local Python scripts (scripts/create_agent.py and scripts/dissolve_agents.py) using the system shell.
- [REMOTE_CODE_EXECUTION]: The skill performs dynamic code generation (Category 10) by creating new SKILL.md files at runtime. These files serve as the executable instruction set for sub-agents dispatched via the Task tool. Since these instructions incorporate untrusted data from the macro-task, this represents a significant risk of arbitrary instruction execution.
Audit Metadata