delivering-mvp-fleet
Pass
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill implements a legitimate multi-agent orchestration workflow. It manages project state through a local file system and structured documentation.
- [COMMAND_EXECUTION]: The bundled script
scripts/flow.pyis a utility for managing a task board in JSON format. It performs standard file operations (reading/writingboard.json) and graph validation (dependency checks, cycle detection). The script does not utilize network resources or execute arbitrary external commands. - [PROMPT_INJECTION]: The skill exposes a surface area for indirect prompt injection, as it ingests and processes untrusted user data into agent mandates.
- Ingestion points:
SKILL.md(Phase 0: 'vague idea', Phase 4: 'user reports a bug'). - Boundary markers: The mandate template in
references/worker-protocol.mdprovides structural organization but lacks explicit delimiters (such as XML tags or dedicated 'ignore instructions' warnings) to isolate untrusted user input within the worker's context. - Capability inventory:
scripts/flow.py(file system writes). The orchestrator agent is designed to manage and spawn other agents/workers. - Sanitization: The instructions do not specify sanitization or validation of user-provided product ideas or bug reports before they are interpolated into mandates.
- Note: This reflects the inherent risk model of orchestration skills. The framework attempts to mitigate this through 'Honesty invariants' and alignment benchmarks called 'golden case cards'.
Audit Metadata