long-task
Fail
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/long_task.pymodifies the global platform configuration file (~/.claude/settings.json) to install a 'Stop hook'. This hook persistently alters the agent's behavior across sessions by intercepting stop signals. - [COMMAND_EXECUTION]: The 'Stop hook' mechanism automates the agent's turns by returning a 'block' decision to the platform, forcing the agent to continue working autonomously without manual confirmation.
- [PROMPT_INJECTION]: The skill contains instructions that mandate the agent to skip user verification and resolve all issues autonomously during its primary execution phases ('You DO NOT ask the user during Phase 2/3').
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes various project-state files from the current working directory.
- Ingestion points: Project files including
.agent/goal.md,.agent/plans.md,.agent/standards.md,.agent/implement.md, and.agent/progress.md(read by both the orchestrator and the lifecycle script). - Boundary markers: A
<objective>tag is used for the goal summary, with instructions to prioritize system messages over tag content; other files lack explicit boundary markers or isolation. - Capability inventory: The skill utilizes the
Agenttool with worktree isolation and executes local shell commands via the lifecycle script. - Sanitization: There is no evidence of sanitization, escaping, or validation of the content read from the project markdown files before it is used to prompt subagents.
Recommendations
- AI detected serious security threats
Audit Metadata