select
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from multiple sources to generate execution plans, including verification commands that are subsequently intended for execution by the agent. This represents an indirect prompt injection surface.
- Ingestion points: Processes repo-root files such as SLICES.md and plan-N.md, as well as user-provided lists and external GitHub PR data referenced in the adapter specifications.
- Boundary markers: The output is structured as YAML (OrchPlan v1), but content from untrusted sources is interpolated into executable fields like 'validation' and 'location' without specific escaping or safety delimiters.
- Capability inventory: The associated pipelines and adapters explicitly instruct the agent to run commands found in the 'validation' or 'verification' fields of the ingested task data.
- Sanitization: The skill lacks explicit sanitization or validation logic for the commands extracted from external sources, relying only on a general instruction that commands be 'safe'.
- [COMMAND_EXECUTION]: The skill's architecture facilitates the execution of arbitrary commands by extracting them from task source files and embedding them in the orchestration plan's validation steps for the agent to follow.
Audit Metadata