agent-loop-orchestrator
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The orchestrator is designed to ingest and act upon content from untrusted external sources like GitHub issues and pull requests, creating a surface for indirect prompt injection attacks.
- Ingestion points: Triage phase in
SKILL.mdscans issues, pull requests, and CI failures. - Boundary markers: None identified; the skill does not specify the use of delimiters or instructions to prevent the agent from executing instructions embedded in the external content.
- Capability inventory: Autonomous agent threads are granted full access to tools including browser capabilities and repository maintenance skills.
- Sanitization: No validation or filtering mechanisms are described for the triaged data before it is passed to worker threads.
- [COMMAND_EXECUTION]: The skill references various internal automation commands (e.g.,
/agent-loop:triage,/agent-loop:start) and shell utilities likesleep. These operations are consistent with the intended functionality of a persistent maintenance orchestrator.
Audit Metadata