Skills
skills/dnyoussef/ai-chrome-extension/cascade-orchestrator/Gen Agent Trust Hub

cascade-orchestrator

Warn

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill defines a 'Codex Sandbox Iteration' pattern designed to autonomously execute tests and modify the primary codebase based on those results.
  • Evidence: The 'Execution Engine' section in SKILL.md outlines logic for rerun_test(test) and apply_fix_to_main(fix) within a loop that attempts to fix code failures automatically up to 5 times.
  • Context: While described as a 'sandbox', the apply_fix_to_main step bridges the gap between the isolated environment and the production source code.
  • [PROMPT_INJECTION]: The orchestrator is designed to process external inputs (e.g., from research stages or GitHub issues) and feed them into code generation models like 'Codex' in 'Full Auto' mode, creating a surface for indirect prompt injection.
  • Ingestion points: Untrusted data enters the context through stage_output, shared_memory, and GitHub-integrated inputs (SKILL.md).
  • Boundary markers: The workflow definitions lack explicit delimiters or instructions for the agent to ignore potentially malicious content embedded in the processed data.
  • Capability inventory: The skill has the capability to write to the local file system (apply_fix_to_main), execute tests (rerun_test), and interact with GitHub APIs (github-pr).
  • Sanitization: There is no evidence of sanitization or safety-filtering logic applied to data passed between stages or before it is used to generate code fixes.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 2, 2026, 07:18 AM