agents-consilium
Pass
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it is designed to ingest untrusted data (code or text) and incorporate it into prompts sent to external LLMs.
- Ingestion points: Data enters through
scripts/consensus-query.sh(via stdin or context files) andscripts/code-review.sh(reviewing files on disk or unified diffs). - Boundary markers: The skill employs multiple isolation techniques, including CDATA sections in
scripts/code-review.shand explicit structural headers (e.g., '--- Input ---') inscripts/common.shto separate user content from system instructions. - Capability inventory: The orchestration scripts spawn external CLI tools (
codex,gemini,opencode,claude) using strictly enforced read-only or plan-mode guardrails (e.g.,--sandbox read-only,--permission-mode plan) to prevent unauthorized file system modifications. - Sanitization: The output logic utilizes XML escaping and CDATA wrapping to ensure that agent findings are safely presented in reports.
- [COMMAND_EXECUTION]: The skill executes external model CLIs. Security is maintained by using quoted variables to prevent argument injection and by leveraging the native read-only sandbox or plan-mode features of the respective CLIs to limit their impact on the host system.
- [DATA_EXFILTRATION]: The skill handles sensitive API keys (e.g.,
GEMINI_API_KEY,GOOGLE_GENERATIVE_AI_API_KEY) required for authenticating with official service providers. This access is necessary for the skill's primary function and involves transmission only to well-known technology vendors.
Audit Metadata