workflow-orchestrator
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill architecture presents an Indirect Prompt Injection surface (Category 8) in its workflow execution logic.
- Ingestion points: The orchestrator reads untrusted data from
.workflowconfiguration files and step result metadata stored in/job/tmp/workflows/. - Boundary markers: Absent. The skill does not utilize delimiters or specific instructions to isolate interpolated variable content from the system prompt template.
- Capability inventory: The
executeAgentStepfunction inworkflow-executor.jstriggers agent jobs with custom prompts and personalities, providing a high-impact target for injection. - Sanitization: Absent. The
resolveVariablesfunction performs direct string substitution using a regular expression without validation or escaping, enabling multi-step injection chains where one agent's malicious output hijacks the next agent's behavior.
Audit Metadata