step-orchestrator
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing untrusted data from repository-local Markdown plan files and status documents to drive the orchestration loop and subagent instructions.\n
- Ingestion points: The primary sources of untrusted input are the Markdown plan files (e.g., docs/plan.md), project status documentation (.agents/docs/project-status.md), and repository-specific instruction files (AGENTS.md).\n
- Boundary markers: While the skill uses structural headers (e.g., 'Active step:', 'Harness docs to read first:') to frame the subagent prompts, it does not explicitly sanitize or escape the content interpolated from the Markdown files.\n
- Capability inventory: The skill possesses significant capabilities including the ability for the coordinator to write files and perform git commits, and for worker agents to apply code patches and execute arbitrary shell commands for testing purposes.\n
- Sanitization: No explicit validation, filtering, or escaping of repository-derived content is documented before the data is used to influence the agent's logic or passed to worker and reviewer subagents.
Audit Metadata