autosearch-hitl
Warn
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill identifies and executes arbitrary measurement scripts found in the repository, such as test suites, benchmarks, and profilers, or specific training scripts like
train.pyandprepare.py. - [COMMAND_EXECUTION]: It implements an autonomous "change -> measure -> keep/discard" loop that modifies code and executes it repeatedly without intermediate user confirmation until improvement stops.
- [EXTERNAL_DOWNLOADS]: The skill automates the installation of external dependencies using package managers including
npm,pip,yarn, anduvbased on project configuration files likepackage.jsonandrequirements.txt. - [DATA_EXFILTRATION]: The instructions include copying sensitive environment files (matching
.env*) to a new worktree directory. While intended for environment replication, this exposes secrets to additional locations and risks committing them to version control if the agent fails to correctly update the.gitignorefile as instructed. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and modifies untrusted project artifacts (code, prompts, configurations).
- Ingestion points: Artifacts defined in
engine-general.mdPhase 1 andSKILL.mdStep 1. - Boundary markers: Absent; the skill does not use delimiters or warnings to ignore instructions inside the artifacts.
- Capability inventory:
gitoperations, dependency installation, and arbitrary shell command execution defined inengine-general.mdandlayer-llm.md. - Sanitization: Absent; the skill performs no escaping or validation of the content within processed artifacts before the loop begins.
Audit Metadata