polyphony
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill describes an architecture that relies on executing shell commands for orchestration, including
docker,orbctl,git clone, and theghCLI for interacting with GitHub APIs. - [PROMPT_INJECTION]: The skill identifies an attack surface for indirect prompt injection as it processes data from external, untrusted sources.
- Ingestion points: Tasks are discovered via GitHub Issues (
gh api) or a local SQLite queue as described in the 'Architecture' section. - Boundary markers: The documentation does not specify the use of delimiters or 'ignore' instructions for the content of processed issues.
- Capability inventory: The orchestrator performs container lifecycle management (create/start/stop), git operations (clone/branch), and executes agent CLI commands (Claude, Codex, Kimi).
- Sanitization: No sanitization or validation of the ingested task content is mentioned.
- [DATA_EXPOSURE]: The skill's configuration involves mounting sensitive host directories into containers. Specifically, it mounts authentication volumes (e.g.,
~/.claude) into the worker runtime to provide identity for the agents. While mounted as read-only, this exposes local CLI session credentials to the execution environment.
Audit Metadata