orchestrate-marketing
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool to run a local synchronization script.
- Evidence: The command 'bun ${SKILLS_ROOT:-.claude/skills}/meta-skills/scripts/manifest-sync.ts' is used in the state detection step to refresh project metadata. This script is part of the local skill environment and does not involve remote downloads.
- [DATA_EXPOSURE]: The skill reads project-specific artifacts and metadata from the filesystem.
- Evidence: It consumes files in 'research/', 'brand/', and '.agents/' to infer the current pipeline status. This data is used locally for decision logic and is not exfiltrated.
- [INDIRECT_PROMPT_INJECTION]: The skill processes content from various project files to determine the user's marketing needs.
- Evidence: It reads 'BRAND.md', 'product-context.md', and other artifacts. While this represents an injection surface, the risk is minimized by the requirement that the agent only propose commands for the user to confirm, rather than executing them automatically.
Audit Metadata