loop-finder
Pass
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive chat history files located in agent-specific directories including
~/.pi/agent/sessions/,~/.codex/sessions/,~/.claude/sessions/, and~/.config/opencode/. This constitutes exposure of private conversation data for local processing. - [COMMAND_EXECUTION]: The skill modifies agent system-instruction files (e.g.,
~/.pi/agent/AGENTS.md,~/.codex/AGENTS.md,~/.claude/CLAUDE.md) in Phase 6 to persist new workflows and update agent behavior. - [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection (Category 8) by ingesting untrusted data from historical sessions to generate new executable agent instructions.
- Ingestion points: Reads
*.jsonland session files from multiple agent-specific paths across the filesystem (SKILL.md, Phase 1 & 2). - Boundary markers: Absent. The skill does not implement delimiters or warnings to ignore instructions embedded within the historical messages it parses.
- Capability inventory: The skill performs file system reads on session logs and file system writes to generate workflow specifications (
workflows/*.md) and modify core agent configuration files. - Sanitization: Absent. There is no evidence of content filtering, escaping, or validation of the historical user messages before they are processed to identify patterns or incorporated into new system-level instructions.
Audit Metadata