zi-kong
Fail
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill instructs the agent to enter a persistent autonomous loop ('while(true)') and operate in 'daemon' mode, which is designed to bypass standard session constraints and maintain long-term execution.
- [COMMAND_EXECUTION]: The core functionality involves 'Self-controlled autonomous iteration,' where the agent is prompted to autonomously modify its own source files and execute those changes to achieve 'self-improvement'.
- [REMOTE_CODE_EXECUTION]: By design, the skill directs the agent to generate and refine its own executable logic and then 'execute' those decisions, creating a cycle of remote code generation and execution.
- [DATA_EXFILTRATION]: The 'Perception Module' (found in rules/autonomous-loop.md) directs the agent to perform broad scans of the workspace, environment variables, and file system, providing a massive surface for sensitive data exposure.
- [PERSISTENCE]: The skill establishes a multi-layered persistence mechanism, including cross-session memory, state snapshots, and automatic session recovery, allowing the agent to maintain control and state over long periods without user intervention.
- [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from the workspace (files, build status, environment) and uses it to drive autonomous logic without boundary markers or sanitization. Ingestion points: scan_environment(), get_changed_files() in rules/autonomous-loop.md. Capabilities: Broad file writing and command execution logic in the Execution Module.
Recommendations
- AI detected serious security threats
Audit Metadata