sequencer
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its context accumulation mechanism.
- Ingestion points: According to
references/execution-model.mdandSKILL.md, the skill reads task summaries from/tmp/seq-{run-id}/step-{N-1}.mdand injects them into the prompts of subsequent subagents. - Boundary markers: The prompt templates defined in
references/execution-model.mddo not use boundary markers (e.g., XML tags or delimiters) or instructions to disregard potential commands within the handoff context. - Capability inventory: The skill has the capability to spawn subagents using the
Agenttool and invoke any other available skill via theSkilltool. - Sanitization: There is no evidence of sanitization, escaping, or filtering of the content produced by previous steps before it is interpolated into the next prompt.
- [COMMAND_EXECUTION]: The skill dynamically constructs and executes sequences of commands and skill invocations based on natural language or DSL input.
- The parser in
references/parsing-guide.mdextracts skill names and arguments from user input to be used in subagent prompts. - While this is the intended purpose of the skill, it creates a surface for command injection if the parser is tricked into executing unintended skills with malicious arguments.
- The risk is mitigated by Rule 1 in
SKILL.md, which mandates that the agent must present an execution plan and wait for user confirmation before any step is executed.
Audit Metadata