blog-master-orchestrator
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Data Exposure & Exfiltration] (MEDIUM): The
StateManagerclass inscripts/state_manager.pyconstructs file paths by concatenating a base directory with a user-providedproject_id. Because this ID is not sanitized or validated, it is vulnerable to path traversal attacks (e.g., using../sequences). This could allow an attacker to read, move, or delete files outside of the intended workspace via functions likeread_state()andarchive_project()(which usesshutil.rmtreeandshutil.move). - [Indirect Prompt Injection] (MEDIUM): The skill implements an indirect prompt injection surface (Category 8) by acting as a central state hub for multiple agents. The script reads and writes to
state.json, which stores topics, metadata, and phase outputs that are likely consumed by other LLMs in the workflow. - Ingestion points: The
read_state()method inscripts/state_manager.pyingests JSON data from the local filesystem. - Boundary markers: No delimiters or instructions to ignore embedded commands are present in the state management logic.
- Capability inventory: The script possesses destructive capabilities, including directory removal (
shutil.rmtree) and file overwriting (_write_state). - Sanitization: There is no evidence of content sanitization or validation of the data stored within the state fields (e.g.,
topic,metadata) before it is used or potentially interpolated into other agents' prompts. - [Metadata Poisoning] (LOW): The
references/README.mdfile contains descriptive metadata and author information. While benign in this context, it contributes to the overall surface area for providing misleading information to the agent.
Audit Metadata