Skills
skills/guillermomurillo/memo-flow/afk-cook/Gen Agent Trust Hub

afk-cook

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the GitHub issue tracking system.
  • Ingestion points: In slice-prompt.md, the agent is instructed to fetch task details using gh issue view {{ISSUE_NUMBER}} --comments and potentially read parent PRDs.
  • Boundary markers: None. The prompt does not use delimiters to encapsulate the external issue content nor does it provide instructions to the agent to disregard instructions found within the data.
  • Capability inventory: The agent runs in acceptEdits mode (via the afk-cook script), allowing it to execute shell commands, modify source code, and perform git commits.
  • Sanitization: Absent. Data retrieved from the GitHub CLI is directly processed as the task specification.
  • [COMMAND_EXECUTION]: The bash runner script executes the AI agent with broad permissions.
  • Evidence: The afk-cook script invokes claude --permission-mode acceptEdits, which grants the agent the ability to execute any command discovered in the project's build files or injected via the issue body.
  • [DATA_EXFILTRATION]: Agent execution logs, which may contain sensitive source code or project context, are stored in a world-readable temporary directory.
  • Evidence: The script uses tee /tmp/ralph-slice-${N}-${attempt}.log to store session output.
  • Risk: On multi-user systems, this allows other users to read the logs and potentially extract proprietary information or secrets exposed during the agent's session.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 06:57 PM
Security Audit — agent-trust-hub — afk-cook