pentaphase-orchestrator

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it captures user input verbatim and stores it in a shared context file used by subsequent agents.
  • Ingestion points: In Phase 0, the agent asks the user five questions (Substrate, Driving force, Failure point, Operational roles, Time horizon) and is instructed to capture the answers "verbatim".
  • Boundary markers: There are no instructions to use delimiters, XML tags, or Markdown code blocks to isolate user-provided content in substrate-context.md, nor are there warnings for downstream skills to ignore embedded directives within that file.
  • Capability inventory: The orchestrator utilizes Bash, Write, and Edit tools to manage directories and files. It also invokes six other specialized skills (such as landscape-discovery-audit and systemic-ingestion-normalization) that have access to the captured user data.
  • Sanitization: The instructions do not specify any validation, escaping, or sanitization of user input before it is stored and passed to other phases in the protocol.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 12:03 PM
Security Audit — agent-trust-hub — pentaphase-orchestrator