workflow-orchestrator
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Shell command injection vulnerability in
scripts/analyze-task.sh. The script uses an unquoted heredoc (cat << EOF) to generate JSON output containing the user-provided task description. Because the delimiter is unquoted, the shell expands variables and executes command substitutions (e.g.,$(...)) within the task string. This allows an attacker to execute arbitrary shell commands on the host system by providing a crafted task description. - [COMMAND_EXECUTION]: Shell command injection vulnerability in
scripts/generate-workflow.sh. The script usessedinside double quotes to interpolate the task name. This causes the shell to evaluate any command substitutions (e.g.,$(...)) present in the task name before thesedcommand is executed, leading to arbitrary code execution. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its architecture of processing untrusted task data for agent orchestration.
- Ingestion points:
scripts/analyze-task.shandscripts/generate-workflow.shtake task descriptions as input. - Boundary markers: No markers or instructions are present to prevent agents from interpreting data content as instructions.
- Capability inventory: Agent configurations grant extensive privileges, including arbitrary
bashcommand execution and full file system write access. - Sanitization: There is no evidence of input validation or sanitization for task strings before they are used in script logic or agent prompts.
Recommendations
- AI detected serious security threats
Audit Metadata