invariants
Pass
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill enforces a strict division of labor where the AI agent only handles natural-language elicitation, while all file operations and schema validations are performed by a dedicated tool (
exarchos_orchestrate). This prevents the agent from directly manipulating YAML files or introducing malformed configurations.\n- [SAFE]: The enforcement mechanism is limited to a declarative DSL (grep, structural, heuristic patterns) and explicitly excludes executable components likescript,exec, orshell. This design choice prevents the creation of malicious invariants that could execute arbitrary code during a review process.\n- [SAFE]: The skill implements a mandatory 'dry-run' and explicit confirmation step before committing any changes to the file system. This human-in-the-loop requirement ensures that the user reviews the exact changes being made, mitigating the risk of unintended modifications.\n- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface because it allows users to author natural languageaudit-promptfields that guide downstream analysis agents. \n - Ingestion points: User input provided during the invariant authoring interview (SKILL.md, Step 1 and 4).\n
- Boundary markers: None specified for the interpolated
audit-promptcontent within the generated YAML structure.\n - Capability inventory: File writing capabilities are gated through the
exarchos_orchestratetool (SKILL.md).\n - Sanitization: Relies on schema validation in the
invariants_addaction, though the natural language content is not sanitized against adversarial instructions.
Audit Metadata