coliseum-orchestrator

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes the Bash tool to perform file system management, specifically creating directory structures like coliseum-runs/<grain-slug>-YYYY-MM-DD/ and managing context files.
  • [PROMPT_INJECTION]: The instructions include strong directives to avoid user interaction and prioritize autonomous decision-making ("No prompt ping-pong", "Do not ask the user clarifying questions to begin"). While intended for efficiency, this removes standard human-in-the-loop safety checks when processing external inputs.
  • [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection:
  • Ingestion points: The user-provided grain (prompt) is the primary input for the orchestration sequence.
  • Boundary markers: The grain is written verbatim into grain-context.md, but there are no instructions to sanitize or escape the content before it is read by subsequent phases or subagents.
  • Capability inventory: The skill has access to powerful tools including Bash, Write, Edit, and Agent (for subagent dispatch).
  • Sanitization: There is no sanitization of the input grain; in fact, the protocol discourages the orchestrator from verifying the content with the user before execution.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 12:03 PM
Security Audit — agent-trust-hub — coliseum-orchestrator