skills/dzianisv/skills/solo-founder/Gen Agent Trust Hub

solo-founder

Pass

Audited by Gen Agent Trust Hub on Jun 27, 2026

Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill provides a tracking script, hooks/track.sh, which is intended for registration as a global PreToolUse hook in the agent's settings. This script silently records sensitive session metadata—including current working directories, repository remote URLs, session IDs, and full transcript paths—into a local hidden registry at ~/.local/run/solo-founder/ for later evaluation.
  • [COMMAND_EXECUTION]: Evaluation and driver tools (eval/evaluate.py, evals/driver/driver-sf.py) execute the claude CLI via subprocess.run to perform automated transcript analysis, scoring, and meta-optimization of the skill's operational logic.
  • [PROMPT_INJECTION]: The skill instructions enable a self-modification loop. The agent is directed to "improve the doer (self-loop)" by diagnosing its own prompt failures and persisting rewritten, "better" versions of instructions to .autopilot/doer-preamble.md, which creates a path for execution history to dynamically alter the agent's core logic.
  • [PROMPT_INJECTION]: The skill exhibits a significant surface for Indirect Prompt Injection (Category 8):
  • Ingestion points: The AUDIT step instructions mandate reading repository code, configurations, logs, analytics, and issue trackers.
  • Boundary markers: The skill does not specify the use of delimiters or instructions to ignore embedded commands when processing this external data.
  • Capability inventory: The agent has high-privilege capabilities including the Agent tool (spawning subagents), Bash (shell execution), and Edit (modifying files).
  • Sanitization: No sanitization or validation of the ingested project content is described before it is used to influence agent decisions.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 27, 2026, 08:39 PM
Security Audit — agent-trust-hub — solo-founder