orchestration
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an orchestration pattern that is susceptible to indirect prompt injection. Task-specific data, such as descriptions and titles, are interpolated directly into the instructions sent to sub-worker agents without the use of sanitization or robust boundary markers. An attacker-controlled task definition could include instructions to override the sub-worker's behavior. \n- Ingestion points: File SKILL.md (Task Template section) using placeholders like {task.description}. \n- Boundary markers: Absent. The template uses simple text labels (e.g., 'Description: {task.description}') which do not isolate untrusted content. \n- Capability inventory: The orchestration scripts use 'aiter terminal write' to execute commands, 'aiter project create' for infrastructure management, and 'aiter notify/message' for external communication. \n- Sanitization: No sanitization or validation of the plan JSON or sub-agent output is described in the workflow. \n- [COMMAND_EXECUTION]: The orchestration logic depends on executing shell commands and parsing terminal output using grep and jq. This creates a risk where a compromised sub-agent could output spoofed status markers (e.g., [DONE] or [ERROR]) to manipulate the orchestrator's state machine and execution flow.
Audit Metadata