orchestrate-meta

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill implements dynamic context injection using the !command syntax to perform local directory scans (find) and retrieve recent commit history (git log) at invocation time. These operations are used purely for project state discovery and do not involve network access or external data.\n- [COMMAND_EXECUTION]: The skill includes instructions to synchronize a project manifest by executing a local TypeScript script (manifest-sync.ts) using the bun runtime. This is a standard maintenance task within the skill's operational context.\n- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests and processes various project artifacts (markdown files in research/, brand/, and architecture/) to inform its routing decisions.\n
  • Ingestion points: Files like research/product-context.md, brand/BRAND.md, and architecture/system-architecture.md are read to build a state map.\n
  • Boundary markers: The instructions do not define specific delimiters or include 'ignore embedded instructions' directives for the processed content.\n
  • Capability inventory: The skill has access to Bash and Read tools, though it is explicitly restricted from auto-invoking skills, requiring user confirmation for the proposed commands.\n
  • Sanitization: There is no explicit sanitization or validation logic for the content read from the markdown artifacts.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 01:33 AM
Security Audit — agent-trust-hub — orchestrate-meta