multi-agent-orchestration

Warn

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill relies heavily on shell scripts that execute dynamic commands. Specifically:
  • scripts/render-runtime-profile.sh uses eval to execute shell-formatted output generated by the script itself.
  • scripts/claude-provider-env.sh dynamically exports environment variables parsed from JSON settings files using jq. While useful for provider isolation, this pattern can be abused if configuration files are poisoned.
  • scripts/spawn-worker.sh and scripts/qoderclicn-interactive-spawn.sh execute arbitrary commands within tmux sessions and use tmux send-keys to inject instructions into active terminal sessions.
  • [PROMPT_INJECTION]: The skill establishes an indirect prompt injection surface. The primary agent (PM) is instructed to read and act upon STATUS.json, RESULT.md, and PATCH_SUMMARY.md files generated by worker agents. If a worker agent is compromised or malicious, it can embed instructions in these structured data files to manipulate the PM agent's logic, such as triggering unauthorized merges or spawning additional malicious workers.
  • [PERSISTENCE_MECHANISMS]: The skill utilizes a templates/cron-monitor-prompt.md template to register recurring tasks via the agent's cron capabilities. While documented as a 'fail-safe' monitoring mechanism to catch silent worker failures, it constitutes a persistence mechanism that executes periodic logic in the background.
  • [DATA_EXPOSURE]: The CHANGELOG.md notes a previous security finding where real API keys were present in settings files. Although currently replaced with placeholders like PASTE_YOUR_TOKEN_HERE, the orchestration pattern encourages storing multiple API keys in local JSON files (config/*.settings.json), which increases the risk of accidental exposure if .gitignore rules are misconfigured.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 6, 2026, 04:06 PM
Security Audit — agent-trust-hub — multi-agent-orchestration