subagent-orchestrator
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is designed as an orchestrator that ingests data from untrusted subagents and external tools.
- Ingestion points: Subagent execution results (
subagent.execute(manifest)) and outputs from Model Context Protocol (MCP) servers. - Boundary markers: No specific delimiters or "ignore embedded instructions" warnings are present in the orchestration logic to prevent subagent outputs from influencing the parent agent's behavior.
- Capability inventory: The skill possesses the capability to spawn subagents, execute system-level scripts (
scripts/monitor-delegation.ts), and read/write files in~/.gemini/plans/. - Sanitization: There is no evidence of sanitization, escaping, or validation of content returned by subagents before it is processed by the parent agent.
- [Data Exposure & Exfiltration] (SAFE): The skill accesses
~/.gemini/plans/for plan synchronization. While this involves file system access in the user's home directory, it is documented as a core feature for persistence and does not involve exfiltration to external domains.
Audit Metadata