orchestrator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests user data via '$ARGUMENTS' and provides the agent with destructive capabilities over an external orchestration platform.
- Ingestion points: User input passed through the '$ARGUMENTS' variable is used to determine actions.
- Capability inventory: The agent has access to tools like 'testany_delete_gatekeeper', 'testany_delete_plan', and 'testany_update_plan' which can result in data loss or service disruption.
- Boundary markers: No explicit delimiters (e.g., XML tags or triple quotes) or 'ignore embedded instructions' warnings are provided to separate user input from system logic.
- Sanitization: There is no instruction for the agent to validate or sanitize the intent within '$ARGUMENTS' before executing destructive MCP tool calls.
- Command Execution (MEDIUM): The skill contains executable shell templates for CI/CD environments (GitHub Actions, Jenkins, GitLab CI) that use 'curl' to interact with webhooks.
- Evidence: Integration examples in the 'CI/CD 集成示例' section provide boilerplate code that executes shell commands.
- Risk: While these are intended as documentation, if the agent interprets these as commands to be run or if an attacker can manipulate the parameters (like the Webhook URL), it could lead to unauthorized network requests or environment compromise.
Recommendations
- AI detected serious security threats
Audit Metadata