Skills
skills/trancong12102/agentskills/council-oracle/Gen Agent Trust Hub

council-oracle

Pass

Audited by Gen Agent Trust Hub on Mar 7, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes external command-line tools gemini and codex using Python's subprocess.run method. This is the intended functionality to perform parallel analysis across different AI models.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by interpolating untrusted data into instructions for external LLMs.
  • Ingestion points: User-provided questions and content from local files (read via Read, Grep, or Glob tools) are passed to scripts/codex-oracle.py and scripts/gemini-oracle.py via the --question and --context-file arguments.
  • Boundary markers: The scripts use text-based delimiters like ----- BEGIN: {path} ----- to separate context files, which are helpful but can be subverted by adversarial content within the files.
  • Capability inventory: The skill can execute shell commands (via subprocess), perform web searches (WebSearch), and fetch external web content (WebFetch), providing a significant impact area if the agent is misled by injected instructions.
  • Sanitization: There is no evidence of sanitization or filtering of the input strings before they are embedded into the prompt templates, meaning an attacker-controlled file in the codebase could potentially hijack the 'oracle' persona to provide biased or malicious advice.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 7, 2026, 02:04 AM