council-2
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: SQL Injection vulnerability in
references/chamber-orchestrator.sh. The script handles member IDs by performing a simple string replacement and interpolating the result directly into asqlite3command without sanitization. This allows for manipulation of the local database via malicious member IDs. - [COMMAND_EXECUTION]: Unsafe shell command construction in
SKILL.md. The toolscouncil_add_memberandcouncil_chamberuse bash commands that interpolate user-provided values (like topic or member names) directly into string literals. If an agent processes malicious input, this can lead to command injection or unintended database operations. - [EXTERNAL_DOWNLOADS]: Remote data retrieval in
references/graphiti-bridge.sh. The skill usescurlto fetch content from an external Graphiti service. While intended for local knowledge retrieval, the service endpoint is configurable and could be pointed to untrusted remote sources. - [PROMPT_INJECTION]: Indirect Prompt Injection surface (Category 8).
- Ingestion points: Data enters the prompt from an external API via
references/graphiti-bridge.shand from the local database viareferences/chamber-orchestrator.sh. - Boundary markers: The skill uses basic headers like
=== Relevant Context from Knowledge Graph ===and🧠Institutional Memory:, which are insufficient to prevent an LLM from following instructions embedded in the external content. - Capability inventory: The skill has access to
sqlite3for local data modification andbashfor orchestration of new agent sessions. - Sanitization: There is no evidence of validation, escaping, or filtering of retrieved 'facts' or 'personas' before they are placed into the deliberation prompt.
Audit Metadata