orchestrate-meta
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements dynamic context injection using the
!commandsyntax to perform local directory scans (find) and retrieve recent commit history (git log) at invocation time. These operations are used purely for project state discovery and do not involve network access or external data.\n- [COMMAND_EXECUTION]: The skill includes instructions to synchronize a project manifest by executing a local TypeScript script (manifest-sync.ts) using thebunruntime. This is a standard maintenance task within the skill's operational context.\n- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests and processes various project artifacts (markdown files inresearch/,brand/, andarchitecture/) to inform its routing decisions.\n - Ingestion points: Files like
research/product-context.md,brand/BRAND.md, andarchitecture/system-architecture.mdare read to build a state map.\n - Boundary markers: The instructions do not define specific delimiters or include 'ignore embedded instructions' directives for the processed content.\n
- Capability inventory: The skill has access to
BashandReadtools, though it is explicitly restricted from auto-invoking skills, requiring user confirmation for the proposed commands.\n - Sanitization: There is no explicit sanitization or validation logic for the content read from the markdown artifacts.
Audit Metadata