Skills
skills/first-fluke/oh-my-agent/oma-orchestrator/Gen Agent Trust Hub

oma-orchestrator

Fail

Audited by Gen Agent Trust Hub on May 9, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill configuration in config/cli-config.yaml explicitly enables autonomous execution modes for various CLI tools. Examples include --dangerously-skip-permissions for Claude and --approval-mode=yolo for Gemini. This configuration bypasses built-in safety mechanisms intended to require user approval for dangerous operations.
  • [COMMAND_EXECUTION]: Several wrapper scripts, including scripts/spawn-agent.sh and scripts/parallel-run.sh, use the "$@" pattern to pass all command-line arguments directly to a sub-shell. This creates a potential command injection surface if the input arguments (such as task descriptions) contain malicious shell metacharacters that are not sanitized by the underlying oma tool.
  • [REMOTE_CODE_EXECUTION]: By spawning sub-agents with full tool-use capabilities and disabling guardrails, the orchestrator enables unreviewed execution of code generated by AI models. If a sub-agent's task description is manipulated via indirect prompt injection, it could lead to the execution of arbitrary malicious payloads.
  • [PROMPT_INJECTION]: The skill implements an 'Agent-to-Agent Review Loop' (documented in SKILL.md) where the output of implementation agents is fed into QA agents and back to the orchestrator. This design is vulnerable to Indirect Prompt Injection (Category 8), where an implementation agent could produce malicious content that overrides the instructions of the QA agent or the orchestrator itself.
  • Ingestion points: The orchestrator reads progress-{agent-id}-{sessionId}.md and result-{agent-id}-{sessionId}.md files generated by untrusted sub-agents.
  • Boundary markers: The subagent-prompt-template.md lacks clear boundary markers (e.g., XML tags or clear separators with 'ignore embedded instructions' warnings) when interpolating task-specific data.
  • Capability inventory: The orchestrator has the capability to spawn processes (oma agent:spawn) and execute arbitrary shell commands via the configured vendors.
  • Sanitization: There is no evidence of sanitization or validation of the content read from sub-agent result files before it is processed or used to construct subsequent prompts.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 9, 2026, 02:17 PM