paseo-committee
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill directly interpolates the
$ARGUMENTSvariable into the instructions given to the agent. This allows a user to provide input that could override the intended behavior of the skill, such as instructing the committee to disregard the 'no-edits' rule or perform unauthorized file system operations. - [PROMPT_INJECTION]: The skill presents a significant indirect prompt injection surface.
- Ingestion points: The skill ingests untrusted data via the
$ARGUMENTSparameter and by reading the responses from external 'committee member' agents during Phase 1. - Boundary markers: While it uses specific titles like
[Committee] <task>, it lacks robust boundary markers or escaping to prevent the agent from following instructions embedded within the user arguments or agent responses. - Capability inventory: The skill possesses the capability to modify the local file system (Phase 2 implementation) and launch additional implementation agents.
- Sanitization: No sanitization, escaping, or validation of the input data is performed before it is processed by the agent.
- [COMMAND_EXECUTION]: In Phase 2 ('Implement'), the agent is instructed to implement the generated plan autonomously ('Default: implement yourself'). If the plan has been manipulated through prompt injection, this could lead to the execution of harmful file modifications or system commands using the agent's internal toolset.
- [PROMPT_INJECTION]: The instruction to 'Drive plan → implement → review without yielding to the user' represents a concealment pattern that reduces human oversight, increasing the likelihood that a malicious plan resulting from injection could be executed without intervention.
Audit Metadata