Skills
skills/chanakya-net/ai-skills/run-with-it/Gen Agent Trust Hub

run-with-it

Fail

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill explicitly requests to disable the standard security sandbox during the execution of its primary worker script.
  • The instructions mandate the use of dangerouslyDisableSandbox: true when invoking run-agent.sh to ensure agent CLIs can authenticate and run outside the sandbox.
  • It instructs the use of GUI_MODE=0 specifically to preserve 'full-bypass permission flags' required for unattended execution.
  • [PROMPT_INJECTION]: The skill includes instructions that override standard user-interaction and safety protocols to ensure autonomous operation.
  • It commands the agent to be the 'Sole active authority' and to 'Suppress any spontaneous external skill.'
  • It explicitly forbids the agent from pausing to ask the user for confirmation after the planning phase or presenting execution options.
  • [REMOTE_CODE_EXECUTION]: The orchestration architecture involves spawning child agents that execute logic based on data retrieved from external, potentially untrusted sources.
  • The skill fetches GitHub issue bodies and comments and pipes this content into an ephemeral Sub-Coordinator session via a runner script.
  • [PROMPT_INJECTION]: Ingestion of untrusted external data creates a surface for indirect instructions that could influence the orchestrator's behavior.
  • Ingestion points: GitHub issue bodies and comments are fetched in SKILL.md (Step C) to be used as context.
  • Boundary markers: Absent; there are no delimiters or warnings to 'ignore embedded instructions' around the issue content in the assembled context file.
  • Capability inventory: Subprocess calls via run-agent.sh, file-writes to the .run-with-it/ directory, and GitHub operations like gh issue close.
  • Sanitization: Absent; issue content is re-fetched and appended directly to the context file without validation or escaping.
  • [COMMAND_EXECUTION]: The skill performs automated filesystem and repository modifications without user-in-the-loop validation.
  • Documentation specifies a sequence of shell commands (mkdir, cp, gh issue close, and git commit) to be executed as part of the main loop and cleanup phases.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 14, 2026, 08:37 AM