task-orchestrator
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill functions as an orchestrator that ingests data from the
client-intakeskill, specifically within the project requirements and client context fields. This data is subsequently passed to downstream implementation skills (e.g., project-management, lead-dev), creating a surface for indirect prompt injection. If user-provided requirements contain malicious instructions, they could potentially influence the behavior of agents receiving the dispatched tasks. - Ingestion points:
agents/execution/task-dispatcher.md(accessingtask.context.requirements). - Boundary markers: The provided logic does not explicitly define markers or delimiters to isolate untrusted user data from agent instructions.
- Capability inventory: The orchestrator itself has limited permissions, but it dispatches work to implementation skills that may have file system or network access.
- Sanitization: There is no evidence of string sanitization or instruction-filtering for ingested data within the orchestration scripts.
- [COMMAND_EXECUTION]: The skill contains a suite of test scripts in the
tests/directory designed for development-time validation. These scripts utilize Node.js and shell commands to read files and verify the skill's directory structure. - Evidence:
tests/run-tests.shandtests/utils.jsutilize the Node.jsfsmodule to scan the agents directory. - [SAFE]: All components, including the state machine, queue manager, and audit logger, operate as described in the documentation. No obfuscated code, hardcoded credentials, or unauthorized external communications were detected.
Audit Metadata