autonomous-orchestration
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The
trigger_research_cyclefunction inreference/failure-recovery.mdconstructs a prompt using$(get_attempt_history "$issue"). This history often includes logs or previous worker outputs which are untrusted. If these logs contain 'Ignore previous instructions' or other jailbreak patterns, the research agent's behavior can be overridden. - INDIRECT_PROMPT_INJECTION (HIGH):
- Ingestion points: The skill reads failure logs and issue history in
reference/failure-recovery.mdviaget_attempt_historyandget_worker_issue. - Boundary markers: None. The untrusted data is directly concatenated into the markdown-formatted prompt.
- Capability inventory: The system can revert pull requests (
rollback_pr), modify project boards (update_project_status), and spawn new workers with full-auto capabilities (spawn_worker). - Sanitization: No evidence of sanitization, filtering, or escaping for the interpolated content.
- COMMAND_EXECUTION (MEDIUM): The skill uses
codex execto run agents with--full-autopermissions. While the research agent is labeledread-only, its output (the 'research context') is fed into the next worker, which has significantly higher privileges, includinggit pushandgh project item-edit. - DATA_EXPOSURE (LOW): The
enter_sleepfunction posts internal state, including orchestration IDs and PR lists, to public GitHub issue comments. While expected for this workflow, it increases the metadata available to potential attackers.
Recommendations
- AI detected serious security threats
Audit Metadata