Skills
skills/rohitg00/pro-workflow/llm-council/Gen Agent Trust Hub

llm-council

Warn

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The persistToWiki function in scripts/council.js performs dynamic code loading by using require() on a path resolved three levels above the script directory (../../../dist/db/store.js). This behavior executes code from the host filesystem outside of the skill's own package, which is a security risk if the host environment can be manipulated.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted user input and interpolates it directly into prompts for multiple LLMs across three phases. No sanitization or escaping is performed on the input.
  • Ingestion points: User-supplied query in the cmdRun function within scripts/council.js.
  • Boundary markers: The prompts use basic text labels like QUERY: and RESPONSES:, which are insufficient to prevent adversarial input from overriding instructions.
  • Capability inventory: The script performs network operations using the https module and writes files to the user's home directory (~/.pro-workflow/council) and a wiki directory using fs.writeFileSync.
  • Sanitization: The code lacks any input validation, escaping, or filtering for the user-provided query or the responses generated by models before they are used in subsequent deliberation phases.
  • [DATA_EXFILTRATION]: In scripts/council.js, the custom provider implementation allows the API base URL to be defined via the LLM_COUNCIL_BASE_URL environment variable. If this is configured with a malicious endpoint, the skill will transmit the sensitive LLM_COUNCIL_API_KEY to that untrusted server during execution.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 12, 2026, 12:22 PM
Security Audit — agent-trust-hub — llm-council