oma-orchestrator
Fail
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The orchestrator is designed to spawn multiple independent processes via the 'oma agent:spawn' command to execute tasks in parallel.
- [COMMAND_EXECUTION]: The configuration in 'config/cli-config.yaml' contains explicit instructions to bypass safety and permission checks for all supported CLI vendors. Specifically, it uses '--approval-mode=yolo' for gemini, '--dangerously-skip-permissions' for claude, '--full-auto' for codex, and '--yolo' for qwen. This configuration removes critical human-in-the-loop safeguards.
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting task descriptions and acceptance criteria from 'task-board.md' and interpolating them directly into subagent prompts via the 'resources/subagent-prompt-template.md'.
- [PROMPT_INJECTION]: Ingestion points: 'task-board.md' provides the content for task descriptions and criteria used to build subagent prompts.
- [PROMPT_INJECTION]: Boundary markers: The template in 'resources/subagent-prompt-template.md' does not utilize delimiters or specific instructions to isolate user-provided task content from the subagent's execution instructions.
- [PROMPT_INJECTION]: Capability inventory: Spawned subagents have the capability to execute shell commands and perform file operations with bypassed safety checks via the 'oma' CLI.
- [PROMPT_INJECTION]: Sanitization: There is no evidence of content validation or sanitization for the data processed from the task board before it is sent to the subagents.
Recommendations
- AI detected serious security threats
Audit Metadata