loop-runner

Warn

Audited by Gen Agent Trust Hub on Jul 7, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill is designed to execute arbitrary shell commands found in the 'Verification' section of .loop/<name>/LOOP.md. This facilitates local code execution controlled by the contents of data files.
  • [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by reading multiple files from the .loop/ directory and treating their contents as binding rules or steering instructions.
  • Ingestion points: Reads .loop/<name>/LOOP.md, signs.md, state.json, journal.md, backlog.md, and STEER.md.
  • Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are used when processing these files.
  • Capability inventory: Includes shell command execution (verification step), file system writes, file deletions (STEER.md), and git operations (commit, restore, revert).
  • Sanitization: No sanitization or validation of the content read from the files is performed before it influences agent actions or command execution.
  • [DATA_EXFILTRATION]: The skill reads project state, history, and charter files. While it doesn't contain a direct network exfiltration command, the ability to execute commands read from LOOP.md provides a mechanism for data exfiltration.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 7, 2026, 11:39 AM
Security Audit — agent-trust-hub — loop-runner