aris-autonomous-ml-research
Fail
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to clone and install code from
https://github.com/wanshuiyin/Auto-claude-code-research-in-sleep.git, which is an unverified source for this author context. - [COMMAND_EXECUTION]: Provides instructions for compiling and running local software using
cargo build --releaseand executing the resulting binary./target/release/aris-code. - [COMMAND_EXECUTION]: The
/execute-planand/research-pipelinecommands allow the agent to perform autonomous actions on the local system, including cloning remote repositories and executing code for experiments. - [DYNAMIC_EXECUTION]: Features a
/meta-optimizecapability where the agent parses its own logs, identifies failure patterns, and generates/applies patches to its ownSKILL.mdinstruction files. - [DATA_EXFILTRATION]: Instructions facilitate sending local code, research ideas, and document drafts to a wide range of external third-party LLM providers (including Moonshot, MiniMax, Zhipu, DeepSeek, and Doubao) for review and processing.
- [INDIRECT_PROMPT_INJECTION]: The skill exhibits an indirect injection surface by processing untrusted data from external sources.
- Ingestion points: Reads content from arbitrary arXiv URLs, external GitHub repositories, and local PDF files via the
/wikiand/research-pipelinecommands. - Boundary markers: None identified; external content is processed without explicit delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill has access to
git clone,cargo build, file write operations (patching), and network communication with multiple API endpoints. - Sanitization: No evidence of sanitization or validation of the content retrieved from external research sources before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata