Skills
skills/asklokesh/claudeskill-loki-mode/loki-mode/Gen Agent Trust Hub

loki-mode

Fail

Audited by Gen Agent Trust Hub on Jun 6, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [PROMPT_INJECTION]: The core instructions in SKILL.md contain explicit behavioral overrides designed to bypass standard agent constraints. Phrases like "You do not ask questions. You do not stop." and the requirement for the "--dangerously-skip-permissions" flag indicate an intentional effort to grant the agent maximum autonomy, which circumvents human oversight.
  • [PROMPT_INJECTION]: The skill possesses a vast attack surface for indirect prompt injection.
  • Ingestion points: autonomy/run.sh and the core loki start command ingest untrusted specifications from PRD files, GitHub issues, and Jira tickets.
  • Boundary markers: The build_prompt() function in autonomy/run.sh attempts to delimit context using <dynamic_context> tags, but these can be easily bypassed by adversarial content in specs.
  • Capability inventory: The skill has extensive capabilities including arbitrary shell command execution (subprocess.run), filesystem writes, and network operations (curl) across its core scripts and Python backend.
  • Sanitization: There is no evidence of robust sanitization or filtering of ingested specifications before they are interpolated into the agent's prompts, relying instead on the agent's own filters.
  • [COMMAND_EXECUTION]: The skill's architecture relies heavily on executing shell commands via subprocess.run() and subprocess.Popen() in multiple Python scripts (autonomy/trigger-server.py, autonomy/checklist-verify.py, etc.). Since these commands are often derived from untrusted external specifications like PRDs and GitHub issues, they present a high risk of command injection. Additionally, generated solutions in the benchmark results (e.g., benchmarks/results/humaneval-loki-solutions/160.py) use eval() on potentially user-controlled arithmetic expressions.
  • [REMOTE_CODE_EXECUTION]: The skill includes functionality to fetch and execute remote scripts, such as installers for Deno, Docker, and Bun. While these specific patterns target well-known and trusted services, the underlying capability for autonomous remote execution remains a high-severity vector for system compromise if the URLs are ever manipulated.
  • [CREDENTIALS_UNSAFE]: The repository includes components for managing API keys and secrets. Files like web-app/src/components/APIKeyManager.tsx demonstrate the handling of sensitive keys with prefixes like pk_live_. The risk of accidental exposure of these credentials in plaintext state files or logs is high given the agent's broad autonomous filesystem access.
Recommendations
  • HIGH: Downloads and executes remote code from: https://deno.land/install.sh, https://bun.sh/install, https://get.docker.com - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 6, 2026, 07:19 PM
Security Audit — agent-trust-hub — loki-mode