loop-ops
Pass
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill demonstrates a surface for indirect prompt injection as it is designed to process untrusted data from external sources.
- Evidence: In the
pr-watchexample (assets/examples/pr-watch/run.md), the agent ingests PR titles and bodies via theghCLI. - Boundary markers: The prompt utilizes strong boundary markers, including a 'Hard rules' section and explicit goal definitions that restrict the agent to 'report-only' actions and forbid merging or pushing.
- Capability inventory: The orchestrator can execute shell commands and modify local state files (
STATE.md). - Sanitization: The system relies on the LLM's adherence to instructions rather than programmatic sanitization of the external data.
- [COMMAND_EXECUTION]: The skill performs dynamic script generation and local execution as part of its core orchestration and auditing functionality.
- Evidence:
scripts/loop-scaffold.shgenerates theloop-run.shrunner script from a template usingsedfor placeholder replacement. - Evidence:
scripts/loop-doctor.shexecutes Python snippets via subprocesses to calculate cost estimates from local JSON data. - [EXTERNAL_DOWNLOADS]: The skill references official software packages from a well-known service.
- Evidence: The example GitHub Actions workflow (
assets/examples/pr-watch/github-actions.yml) installs@anthropic-ai/claude-codefrom the official npm registry. As this originates from a well-known service, it is documented neutrally without escalating the verdict.
Audit Metadata