llm-council
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it automatically ingests content from local workspace files and interpolates that data into prompts for five advisor sub-agents.
- Ingestion points: Project root files (e.g.,
CLAUDE.md), content from amemory/directory, and any files referenced or attached by the user during the session. - Boundary markers: The skill uses
---delimiters to wrap the framed question and context within the prompts sent to the advisor sub-agents. - Capability inventory: The agent performs file read operations on the workspace and file write operations to save transcripts (e.g.,
council-transcript-[timestamp].md). - Sanitization: No explicit sanitization, filtering, or validation of the content read from workspace files is described before it is processed by the advisors.
- [COMMAND_EXECUTION]: The skill instructs the agent to perform extensive file system operations, specifically scanning the local workspace for relevant documentation using
GlobandReadtools. This includes searching for sensitive business information such as revenue data, past launch results, and project logs to inform the advisors' outputs.
Audit Metadata