paseo-orchestrate
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection through its multi-agent orchestration logic. It aggregates user input and findings from early-phase agents to construct prompts for later-phase agents.\n
- Ingestion points: User-supplied task descriptions in the $ARGUMENTS variable (SKILL.md) and activity summaries gathered from researcher and auditor agents (research-phase.md, planning-phase.md).\n
- Boundary markers: The generated prompts for sub-agents do not use delimiters or instructions to ignore potentially malicious commands embedded in the ingested data.\n
- Capability inventory: The skill utilizes the Bash tool for file and system operations and the Paseo MCP suite for managing autonomous agents and scheduling tasks.\n
- Sanitization: The skill does not perform sanitization, escaping, or validation on external content before interpolating it into prompts for secondary agents.\n- [COMMAND_EXECUTION]: The orchestrator performs various system and development operations via the command line.\n
- Evidence: Use of the Bash tool for reading local configuration files (~/.paseo/orchestrate.json), interacting with git, and executing project tools like npm run typecheck. It also employs the create schedule tool to implement a persistent heartbeat mechanism for task monitoring.
Audit Metadata