The Agent Skills Directory

[DATA_EXFILTRATION]: Path traversal vulnerability in session management. The SessionManager class and the results management script use unsanitized user-provided session IDs to construct file paths, which can be exploited to read or delete JSON files outside the intended directory.\n
Evidence: In lib/orchestrator.js, the getSession method uses path.join(SESSIONS_DIR, ${sessionId}.json) without validating sessionId. In bin/orchestrator-results.js, the delete operation uses path.join(SESSIONS_DIR, ${deleteId}.json) with the user-provided deleteId directly.\n- [PROMPT_INJECTION]: Direct system prompt injection via context parameters. The orchestration engine appends user-controlled context data directly to the agent's system prompt, allowing for instruction override.\n
Evidence: The executeTask method in lib/orchestrator.js appends context.language and context.focus strings directly to the systemPrompt variable.\n- [DATA_EXFILTRATION]: Excessive file system access capabilities. The CLI tools allow the agent to read arbitrary local files, which could be combined with the network capabilities of the sub-agents to exfiltrate sensitive data.\n
Evidence: The orchestrator-delegate.js and orchestrator-parallel.js scripts provide a --file argument that reads content from any user-specified path using readFileSync.\n- [PROMPT_INJECTION]: Indirect prompt injection vulnerability. The skill processes untrusted input and task descriptions across multiple agents and aggregators without sanitization or boundary markers.\n
Ingestion points: task and input parameters in lib/orchestrator.js processed via sub-agents.\n
Boundary markers: Absent.\n
Capability inventory: File system read/write/delete operations and network access to OpenAI and Anthropic APIs.\n
Sanitization: Absent.

multi-agent-orchestrator