sam/pi-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
pi-config/extensions/pi-crew/skills/secure-agent-orchestration-review/SKILL.md

2.2 KiB
Raw Permalink Blame History

name, description
name description
secure-agent-orchestration-review Use when reviewing delegation, skill loading, tool access, worker prompts, artifacts, runtime config, state, ownership, or subprocess execution.

secure-agent-orchestration-review

Core principle: every delegated worker crosses trust boundaries. Safe orchestration requires contained paths, explicit ownership, scoped tools, non-invasive defaults, and prompt-injection resistance.

Distilled from detailed reads of security notice, insecure-defaults, sharp-edges, differential-review, guardrail, and skill quality patterns.

Trust Boundaries

Review:

  • parent session ↔ child Pi worker;
  • user prompt ↔ generated task packet;
  • project skills ↔ package skills;
  • global config ↔ project config;
  • artifacts/logs ↔ future prompts/UI;
  • mailbox/respond/steer/cancel ↔ session ownership;
  • external skills/docs ↔ prompt injection/tool poisoning;
  • runtime env/CLI args ↔ provider/model behavior.

Must-Check Findings

  • Unsafe defaults: scaffold mode unexpectedly enabled, dangerous limits, missing depth guards, overbroad tools.
  • Path containment: cwd override escape, symlink traversal, unsafe skill names, absolute path leakage.
  • Prompt injection: untrusted output treated as instruction, skill metadata overtrusted, missing precedence text.
  • Secrets: env/config/log/artifact/diagnostic leakage.
  • Destructive commands: delete/prune/reset/force push without explicit confirmation.
  • Ownership races: authorization checked outside lock, stale task/manifest written after re-read.
  • Supply chain: external skill content imported without review, unknown tool requirements, hidden commands.

Secure Defaults for pi-crew

  • Real execution should be explicit and disable-able, but generated config must not accidentally block normal workflows.
  • Project overrides should be contained to the project root.
  • Missing/invalid config should fall back safely.
  • Skills should be loaded by safe name and source-labeled without absolute path disclosure.
  • Worker prompts should state instruction precedence and treat artifacts as data.

Finding Format

Include severity, path/symbol, scenario, fix, and verification. Separate must-fix security issues from hardening suggestions.

Reference in New Issue View Git Blame Copy Permalink