autoresearch
Fail
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill reads the .autoresearch.yml configuration file from the root of a target repository and executes the command specified in the test_command field. This allows for arbitrary shell command execution if the repository is untrusted.
- [COMMAND_EXECUTION]: In 'Narrow mode', the skill requires the user to provide a 'measurement command' which is then executed via the shell to capture metrics. This represents a vector for arbitrary command execution based on user input.
- [COMMAND_EXECUTION]: The skill automatically detects project stacks and executes associated test and linter tools, including go test, npm test, cargo test, pytest, mvn test, gradlew test, mix test, phpunit, and make.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted content from the target repository through multiple sub-agents (Red, Green, and Refactor teams).
- Ingestion points: Entire target codebase, CLAUDE.md, AGENTS.md, README.md, and .autoresearch.yml.
- Boundary markers: Implements 'clean-room' rules to separate agent contexts but lacks explicit boundary delimiters for ingested codebase content.
- Capability inventory: Shell command execution (git, test runners, user commands), file system writes (session logs, results.tsv).
- Sanitization: Includes a mandatory 'Sanitize findings' stage that removes discovery context and fix suggestions from Red team reports before they reach the Green team.
- [DATA_EXFILTRATION]: The skill accesses and reads potentially sensitive project metadata and documentation (CLAUDE.md, README.md, .autoresearch.yml). While no explicit network exfiltration logic is present, the existing command execution capabilities could be used to transmit this data to external servers.
Recommendations
- AI detected serious security threats
Audit Metadata