loop-runner
Warn
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to execute arbitrary shell commands found in the 'Verification' section of
.loop/<name>/LOOP.md. This facilitates local code execution controlled by the contents of data files. - [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by reading multiple files from the
.loop/directory and treating their contents as binding rules or steering instructions. - Ingestion points: Reads
.loop/<name>/LOOP.md,signs.md,state.json,journal.md,backlog.md, andSTEER.md. - Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are used when processing these files.
- Capability inventory: Includes shell command execution (verification step), file system writes, file deletions (
STEER.md), and git operations (commit, restore, revert). - Sanitization: No sanitization or validation of the content read from the files is performed before it influences agent actions or command execution.
- [DATA_EXFILTRATION]: The skill reads project state, history, and charter files. While it doesn't contain a direct network exfiltration command, the ability to execute commands read from
LOOP.mdprovides a mechanism for data exfiltration.
Audit Metadata