Skills
skills/sunfmin/journey-builder/journey-loop/Gen Agent Trust Hub

journey-loop

Warn

Audited by Gen Agent Trust Hub on Mar 28, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from a user-supplied specification file that influences the behavior of sub-agents and the eventual content of the root skill instructions.
  • Ingestion points: Reads specification files (via $ARGUMENTS or spec.md) and logs from the Refiner agent.
  • Boundary markers: Absent; there are no delimiters or instructions provided to sub-agents to ignore embedded commands within the ingested content.
  • Capability inventory: The orchestrator can spawn new agents with arbitrary prompts, write to the local filesystem (including its own SKILL.md), and maintain state across iterations.
  • Sanitization: None; the skill does not validate or sanitize the specification content or the output from the refiner before using it to rebuild the agent context.
  • [COMMAND_EXECUTION]: The orchestrator implements a dynamic execution pattern by spawning new sub-agents using the full content of SKILL.md as the task prompt. Because the Refiner phase is explicitly designed to edit this SKILL.md file, the orchestrator is effectively executing instructions that are modified and assembled at runtime.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 28, 2026, 01:44 AM