ln-1000-pipeline-orchestrator
Fail
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands for file management (
cp,rm,mkdir), Git operations (git worktree), and process control (kill). It also runs internal CLI scripts using the Node.js runtime. - [COMMAND_EXECUTION]: The skill executes a PowerShell script (
prevent-sleep.ps1) using the-ExecutionPolicy Bypassflag on Windows to override security restrictions, which is a high-risk command execution pattern. - [REMOTE_CODE_EXECUTION]: The skill performs dynamic loading of Node.js modules in
scripts/lib/arch-snapshot.mjsusingimport()with computed paths. It specifically targets paths outside the skill's own directory (../../../mcp/hex-graph-mcp/lib/store.mjs) to load external libraries. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of untrusted data from
kanban_board.mdand task tracking APIs (Linear and GitHub). This data influences orchestration logic and is passed to delegated sub-skills. - Ingestion points: Story titles, descriptions, and Epic metadata from
kanban_board.mdand API responses. - Boundary markers: Lacks explicit delimiters or instructions to ignore embedded commands within ingested story content.
- Capability inventory: Significant subprocess (shell, powershell, git) and file system capabilities are used across all runtime scripts.
- Sanitization: Content from story descriptions is not sanitized or escaped before being processed by the orchestrator.
Recommendations
- AI detected serious security threats
Audit Metadata