skills/q00/openclip/oc-orchestrator/Gen Agent Trust Hub

oc-orchestrator

Warn

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [DYNAMIC_EXECUTION]: The skill implements a "Self-improvement" mechanism where it can spawn an oc-toolsmith subagent to author new CLI tools and save them to a toolbox/ directory. These generated scripts are subsequently executed at runtime using the oc toolbox run command. This runtime code generation and execution flow allows the agent to dynamically expand its own capabilities, which poses a security risk if the logic being generated is influenced by untrusted data.
  • [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its "steering" logic which incorporates external data into agent prompts without sanitization.
  • Ingestion points: Untrusted data is read from the open_steering ledger via the oc status command and from manifest files in flows/<flow>.yaml.
  • Boundary markers: The instructions lack boundary markers or delimiters, instead directing the agent to fold directives into prompts as "verbatim text".
  • Capability inventory: The skill possesses powerful capabilities including Bash (shell execution), Agent (subagent spawning), and Read/Write (file system access) across its operational scripts.
  • Sanitization: There is no evidence of filtering or validation; subagents are explicitly commanded to "obey it" and "honor steering over its own default judgment."
  • [COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to interact with a system CLI tool (oc). While this is central to its video processing function, it provides the execution layer that could be leveraged by the dynamic code generation and injection vectors identified above.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 6, 2026, 03:48 AM
Security Audit — agent-trust-hub — oc-orchestrator