Skills
skills/first-fluke/mimic/orchestrator/Gen Agent Trust Hub

orchestrator

Fail

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/spawn-agent.sh executes shell commands using eval on a command string that incorporates the TASK_CONTENT variable.
  • Evidence: eval "$CMD" > "$RESULT_FILE" 2>&1 in scripts/spawn-agent.sh.
  • Details: Since TASK_CONTENT originates from user-provided task descriptions or external task files, an attacker can inject shell metacharacters (such as backticks or $()) to execute arbitrary commands with the privileges of the agent process.
  • [COMMAND_EXECUTION]: The script scripts/parallel-run.sh parses task definitions from YAML files using insecure string matching techniques with grep and awk.
  • Evidence: Parsing logic in parse_yaml_simple and parse_yaml_tasks functions in scripts/parallel-run.sh.
  • Details: These parsing methods do not properly sanitize input, allowing an attacker to craft a YAML file where fields like agent, task, or workspace contain malicious payloads that are eventually executed in a shell context.
  • [PROMPT_INJECTION]: The skill configuration and instructions mandate running sub-agents with auto-approval flags that bypass safety filters.
  • Evidence: The use of --yolo for Gemini, --dangerously-skip-permissions for Claude, and --full-auto for Codex as defined in config/cli-config.yaml and SKILL.md.
  • Details: By removing the human-in-the-loop requirement, the skill enables sub-agents to perform destructive file operations or system commands autonomously. This significantly increases the risk and impact of indirect prompt injection attacks where a sub-agent might be tricked by malicious data it processes.
  • [COMMAND_EXECUTION]: The "Verification Gate" in the orchestration workflow executes a shell script using parameters derived from task data.
  • Evidence: bash .agent/skills/_shared/verify.sh {agent-type} {workspace} mentioned in SKILL.md.
  • Details: The {agent-type} and {workspace} values are pulled from the task-board.md file. If an attacker controls the task definitions, they can inject arbitrary commands into these parameters, which will be executed during the verification phase.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 2, 2026, 07:25 PM
Security Audit — agent-trust-hub — orchestrator