autoresearch
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to autonomously overwrite local source files and execute shell commands such as
git committo persist changes to the repository. This allows for the automated modification of agent logic without mandatory human review for each iteration. - [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection as it ingests and processes instructions from potentially untrusted local files (
SKILL.md,EVAL.md, andprogram.md). - Ingestion points: The skill reads logic and evaluation criteria from
{skill-path}/SKILL.md,{skill-path}/EVAL.md, and configuration fromprogram.mdorevals.json. - Boundary markers: Absent. The sub-agent instructions in Phase 1-2 do not utilize delimiters or specific directives to prevent the agent from obeying instructions embedded within the files being researched.
- Capability inventory: The skill can overwrite existing instruction files and execute Git operations, providing a path for injected instructions to persist and modify the environment.
- Sanitization: The content being analyzed and used to mutate instructions is not sanitized or validated for malicious patterns before execution or persistence.
Audit Metadata