personal-loop
Fail
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill explicitly instructs the agent to suppress standard safety guardrails and human oversight by stating "never ask for input, pause for approval, or wait for a human" and "The pipeline never blocks on a human." This autonomy abuse allows the agent to perform destructive or dangerous actions without user verification.
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill implements a "gate-based" execution pattern where it extracts and runs shell commands defined in external markdown files. The instructions specify that "the bar is that command exiting 0. Run it; do not judge it by eye," which leads to the execution of arbitrary code sourced from potentially untrusted files in the loop directory.
- [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it consumes instructions from external data to drive its core logic and file-system modifications. * Ingestion points: The agent reads and treats every markdown file in the
LOOP_DIR(defaultloops/) as an active instruction set. * Boundary markers: There are no boundary markers or delimiters defined to separate the skill's own safety logic from the content of the external loop files. * Capability inventory: The skill allows for recursive file modification of theTARGETand the execution of arbitrary shell commands via the gate mechanism. * Sanitization: No sanitization or validation of the instructions or commands found in the external files is performed before they are used to drive the agent's behavior.
Recommendations
- AI detected serious security threats
Audit Metadata