orch-pipeline
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted external data during its orchestration phases.
- Ingestion points: Phase 0 (Intake) reads external specification and design documents; Phase 1 (Research) utilizes
gh searchand the Exa search engine to retrieve code and documentation from external repositories and the web (SKILL.md). - Boundary markers: The skill does not explicitly define delimiter-based boundary markers or instructions to ignore embedded commands within the ingested text, though it defines high-level phase transitions.
- Capability inventory: The pipeline possesses significant capabilities, including automated implementation via the
tdd-guideagent, file system modifications through vertical slicing, and repository commitments (SKILL.md). - Sanitization: There is no mention of sanitization or filtering of the content retrieved from external sources before it is processed by downstream agents.
- Mitigation: The risk is significantly reduced by the inclusion of two mandatory human approval gates: Gate 1 (approving the research plan) and Gate 2 (approving the diff and commit messages).
- [DATA_EXFILTRATION]: The skill performs network operations to external services as part of its standard research workflow.
- Evidence: Phase 1 (Research & Reuse) specifies the use of
gh search repos,gh search code, and the Exa search engine to fetch information from external sources (SKILL.md). - Note: These operations are documented as part of the intended development research workflow and target well-known services.
Audit Metadata