council
Warn
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill ingests untrusted project data (files and git diffs) via the
council_packetstructure described inreferences/packet-format.md. This data is then provided to sub-agents (judges and explorers) without robust boundary markers or sanitization, potentially allowing an attacker to embed malicious instructions in project files that could manipulate agent verdicts or trigger unauthorized tool usage. - [COMMAND_EXECUTION]: Shell Command Injection Risk. In
references/backend-codex-subagents.mdandreferences/cli-spawning.md, the skill describes a mechanism for spawning Codex agents by interpolating a JSON packet directly into a double-quoted string within aBashtool call (e.g.,codex exec ... "{PACKET}"). Because the packet contains arbitrary file content from the project, this pattern is vulnerable to command injection if the input content includes unescaped double-quotes or shell metacharacters, leading to potential arbitrary code execution.
Audit Metadata