loop-finder

Pass

Audited by Gen Agent Trust Hub on Jul 4, 2026

Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill accesses sensitive chat history files located in agent-specific directories including ~/.pi/agent/sessions/, ~/.codex/sessions/, ~/.claude/sessions/, and ~/.config/opencode/. This constitutes exposure of private conversation data for local processing.
  • [COMMAND_EXECUTION]: The skill modifies agent system-instruction files (e.g., ~/.pi/agent/AGENTS.md, ~/.codex/AGENTS.md, ~/.claude/CLAUDE.md) in Phase 6 to persist new workflows and update agent behavior.
  • [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection (Category 8) by ingesting untrusted data from historical sessions to generate new executable agent instructions.
  • Ingestion points: Reads *.jsonl and session files from multiple agent-specific paths across the filesystem (SKILL.md, Phase 1 & 2).
  • Boundary markers: Absent. The skill does not implement delimiters or warnings to ignore instructions embedded within the historical messages it parses.
  • Capability inventory: The skill performs file system reads on session logs and file system writes to generate workflow specifications (workflows/*.md) and modify core agent configuration files.
  • Sanitization: Absent. There is no evidence of content filtering, escaping, or validation of the historical user messages before they are processed to identify patterns or incorporated into new system-level instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 4, 2026, 06:04 AM
Security Audit — agent-trust-hub — loop-finder