orchestrator
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill instructs the user to bypass standard safety confirmations by enabling 'autopilot' mode with full permissions using the
--allow-alland--max-autopilot-continuesflags.\n- [COMMAND_EXECUTION]: The skill executes shell commands, including the GitHub CLI (gh) for issue management and sourcing a local script (source ~/.config/marketinc/board.sh) whose contents are outside the skill's direct control.\n- [DATA_EXFILTRATION]: The skill sends data to external GitHub repositories by creating and updating issues based on the project's progress and the user's initial objective.\n- [INDIRECT_PROMPT_INJECTION]: The orchestrator ingests untrusted user input (feature objectives) and propagates it through a chain of sub-agents (researcher, architect, implementer) without explicit sanitization or boundary markers.\n - Ingestion points: User-defined objectives and vision provided at the start of the pipeline.\n
- Boundary markers: Absent; no instructions are provided to sub-agents to ignore potentially malicious instructions embedded in the objective text.\n
- Capability inventory: The pipeline has extensive file-system access (read/write in
docs/andsrc/), network access (via theghtool), and script execution capabilities.\n - Sanitization: No sanitization or validation of the input objective is performed before it is processed by the specialists.
Audit Metadata