autosearch-hitl

Warn

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill identifies and executes arbitrary measurement scripts found in the repository, such as test suites, benchmarks, and profilers, or specific training scripts like train.py and prepare.py.
  • [COMMAND_EXECUTION]: It implements an autonomous "change -> measure -> keep/discard" loop that modifies code and executes it repeatedly without intermediate user confirmation until improvement stops.
  • [EXTERNAL_DOWNLOADS]: The skill automates the installation of external dependencies using package managers including npm, pip, yarn, and uv based on project configuration files like package.json and requirements.txt.
  • [DATA_EXFILTRATION]: The instructions include copying sensitive environment files (matching .env*) to a new worktree directory. While intended for environment replication, this exposes secrets to additional locations and risks committing them to version control if the agent fails to correctly update the .gitignore file as instructed.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and modifies untrusted project artifacts (code, prompts, configurations).
  • Ingestion points: Artifacts defined in engine-general.md Phase 1 and SKILL.md Step 1.
  • Boundary markers: Absent; the skill does not use delimiters or warnings to ignore instructions inside the artifacts.
  • Capability inventory: git operations, dependency installation, and arbitrary shell command execution defined in engine-general.md and layer-llm.md.
  • Sanitization: Absent; the skill performs no escaping or validation of the content within processed artifacts before the loop begins.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 30, 2026, 04:31 PM