workflow-router
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes
ls thoughts/shared/plans/*.md 2>/dev/nullto check for existing planning documents. This is a routine, non-privileged operation used solely for workflow state detection.- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection attack surface typical for orchestrator designs. - Ingestion points: User input gathered via the
AskUserQuestiontool (topics, tasks, and symptoms) is directly incorporated into prompts for subagents. - Boundary markers: Subagent spawn prompts do not utilize explicit delimiters or security instructions to isolate untrusted user data from agent directives.
- Capability inventory: The orchestrator can spawn powerful subagents (e.g., 'oracle', 'kraken'), execute shell commands, and invoke diagnostic slash commands.
- Sanitization: The skill does not appear to perform validation or escaping of user-provided strings before they are passed to specialized agents.
Audit Metadata