oc-orchestrator
Warn
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DYNAMIC_EXECUTION]: The skill implements a "Self-improvement" mechanism where it can spawn an
oc-toolsmithsubagent to author new CLI tools and save them to atoolbox/directory. These generated scripts are subsequently executed at runtime using theoc toolbox runcommand. This runtime code generation and execution flow allows the agent to dynamically expand its own capabilities, which poses a security risk if the logic being generated is influenced by untrusted data. - [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its "steering" logic which incorporates external data into agent prompts without sanitization.
- Ingestion points: Untrusted data is read from the
open_steeringledger via theoc statuscommand and from manifest files inflows/<flow>.yaml. - Boundary markers: The instructions lack boundary markers or delimiters, instead directing the agent to fold directives into prompts as "verbatim text".
- Capability inventory: The skill possesses powerful capabilities including
Bash(shell execution),Agent(subagent spawning), andRead/Write(file system access) across its operational scripts. - Sanitization: There is no evidence of filtering or validation; subagents are explicitly commanded to "obey it" and "honor steering over its own default judgment."
- [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool to interact with a system CLI tool (oc). While this is central to its video processing function, it provides the execution layer that could be leveraged by the dynamic code generation and injection vectors identified above.
Audit Metadata