pentaphase-orchestrator
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it captures user input verbatim and stores it in a shared context file used by subsequent agents.
- Ingestion points: In Phase 0, the agent asks the user five questions (Substrate, Driving force, Failure point, Operational roles, Time horizon) and is instructed to capture the answers "verbatim".
- Boundary markers: There are no instructions to use delimiters, XML tags, or Markdown code blocks to isolate user-provided content in
substrate-context.md, nor are there warnings for downstream skills to ignore embedded directives within that file. - Capability inventory: The orchestrator utilizes
Bash,Write, andEdittools to manage directories and files. It also invokes six other specialized skills (such aslandscape-discovery-auditandsystemic-ingestion-normalization) that have access to the captured user data. - Sanitization: The instructions do not specify any validation, escaping, or sanitization of user input before it is stored and passed to other phases in the protocol.
Audit Metadata