solo-founder
Pass
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill provides a tracking script,
hooks/track.sh, which is intended for registration as a globalPreToolUsehook in the agent's settings. This script silently records sensitive session metadata—including current working directories, repository remote URLs, session IDs, and full transcript paths—into a local hidden registry at~/.local/run/solo-founder/for later evaluation. - [COMMAND_EXECUTION]: Evaluation and driver tools (
eval/evaluate.py,evals/driver/driver-sf.py) execute theclaudeCLI viasubprocess.runto perform automated transcript analysis, scoring, and meta-optimization of the skill's operational logic. - [PROMPT_INJECTION]: The skill instructions enable a self-modification loop. The agent is directed to "improve the doer (self-loop)" by diagnosing its own prompt failures and persisting rewritten, "better" versions of instructions to
.autopilot/doer-preamble.md, which creates a path for execution history to dynamically alter the agent's core logic. - [PROMPT_INJECTION]: The skill exhibits a significant surface for Indirect Prompt Injection (Category 8):
- Ingestion points: The
AUDITstep instructions mandate reading repository code, configurations, logs, analytics, and issue trackers. - Boundary markers: The skill does not specify the use of delimiters or instructions to ignore embedded commands when processing this external data.
- Capability inventory: The agent has high-privilege capabilities including the
Agenttool (spawning subagents),Bash(shell execution), andEdit(modifying files). - Sanitization: No sanitization or validation of the ingested project content is described before it is used to influence agent decisions.
Audit Metadata