loop-ops

Pass

Audited by Gen Agent Trust Hub on Jul 4, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill demonstrates a surface for indirect prompt injection as it is designed to process untrusted data from external sources.
  • Evidence: In the pr-watch example (assets/examples/pr-watch/run.md), the agent ingests PR titles and bodies via the gh CLI.
  • Boundary markers: The prompt utilizes strong boundary markers, including a 'Hard rules' section and explicit goal definitions that restrict the agent to 'report-only' actions and forbid merging or pushing.
  • Capability inventory: The orchestrator can execute shell commands and modify local state files (STATE.md).
  • Sanitization: The system relies on the LLM's adherence to instructions rather than programmatic sanitization of the external data.
  • [COMMAND_EXECUTION]: The skill performs dynamic script generation and local execution as part of its core orchestration and auditing functionality.
  • Evidence: scripts/loop-scaffold.sh generates the loop-run.sh runner script from a template using sed for placeholder replacement.
  • Evidence: scripts/loop-doctor.sh executes Python snippets via subprocesses to calculate cost estimates from local JSON data.
  • [EXTERNAL_DOWNLOADS]: The skill references official software packages from a well-known service.
  • Evidence: The example GitHub Actions workflow (assets/examples/pr-watch/github-actions.yml) installs @anthropic-ai/claude-code from the official npm registry. As this originates from a well-known service, it is documented neutrally without escalating the verdict.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 4, 2026, 07:00 PM
Security Audit — agent-trust-hub — loop-ops