coliseum-orchestrator
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to perform file system management, specifically creating directory structures likecoliseum-runs/<grain-slug>-YYYY-MM-DD/and managing context files. - [PROMPT_INJECTION]: The instructions include strong directives to avoid user interaction and prioritize autonomous decision-making ("No prompt ping-pong", "Do not ask the user clarifying questions to begin"). While intended for efficiency, this removes standard human-in-the-loop safety checks when processing external inputs.
- [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection:
- Ingestion points: The user-provided
grain(prompt) is the primary input for the orchestration sequence. - Boundary markers: The grain is written verbatim into
grain-context.md, but there are no instructions to sanitize or escape the content before it is read by subsequent phases or subagents. - Capability inventory: The skill has access to powerful tools including
Bash,Write,Edit, andAgent(for subagent dispatch). - Sanitization: There is no sanitization of the input grain; in fact, the protocol discourages the orchestrator from verifying the content with the user before execution.
Audit Metadata