workflow-orchestrator
Warn
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DYNAMIC_EXECUTION]: The skill implements a 'self-improving' architecture where a linked 'self-improving-agent' is explicitly tasked with updating skill files and instruction sets based on learned patterns. This constitutes a self-modifying instruction loop that could be exploited to permanently alter agent behavior if malicious patterns are 'learned' from untrusted data.
- [COMMAND_EXECUTION]: The skill relies on Bash and Grep to parse project documents (like PRDs and task plans) to determine milestones. It uses these system tools to drive logic flow, which can be manipulated if the files being parsed contain unexpected content.
- [INDIRECT_PROMPT_INJECTION]: The skill possesses a significant ingestion surface for indirect injection.
- Ingestion points: Processes project documentation such as
docs/{scope}-prd-task-plan.mdanddocs/{scope}-prd.mdto detect milestones. - Boundary markers: No specific boundary markers or 'ignore' instructions are used when grepping these files for completion markers like 'COMPLETE'.
- Capability inventory: Access to
Bash,Read,Write,Edit, and the ability to trigger a chain of other skills (e.g.,create-pr,self-improving-agent). - Sanitization: Lacks visible sanitization of the content extracted from project files before using it to decide the next workflow step.
- [EXTERNAL_DOWNLOADS]: The documentation points to an external collection of skills located at
github.com/Charon-Fan/agent-playbook. While not executed directly by the provided code snippets, the skill's architecture is designed to download and interact with these external components.
Audit Metadata