sequencer
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. Output generated by one step is used as the context for the next step without any sanitization or boundary markers to prevent the subagent from obeying instructions hidden within that data.
- Ingestion points: The skill reads from
/tmp/seq-{run-id}/step-{N-1}.mdto provide context to the next subagent (documented inSKILL.mdandreferences/execution-model.md). - Boundary markers: Absent. The subagent prompt defined in
references/execution-model.mdlacks delimiters (e.g., XML tags or clear headers) and does not include instructions to ignore any embedded directives within the context file. - Capability inventory: The skill can spawn subagents capable of invoking any available
SkillorAgent, which may include tools for file modification or network access. - Sanitization: None. Data is passed directly from the output of one step into the prompt of the next.
- [COMMAND_EXECUTION]: The skill acts as an orchestrator for arbitrary skill and agent execution. Although it includes a manual confirmation step where the user reviews the 'Execution plan', the automated nature of the pipeline increases the risk that complex or obfuscated malicious tasks could be approved and executed in sequence.
Audit Metadata