wendy-cloud-iterate

Fail

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill contains explicit instructions to override standard safety and confirmation protocols.
  • Direct Injection: Phrases like "You are fully autonomous" and "Do NOT ask for confirmation before any of the above" attempt to remove user oversight for sensitive operations like code modification, repo cloning, and command execution.
  • Indirect Injection Surface: The skill ingests untrusted data from log files (/tmp/swift-broker.log) and test outputs to diagnose failures and 'attempt fixes'.
  • Ingestion points: /tmp/swift-broker.log, docker compose logs, gh pr checks.
  • Boundary markers: Absent; no delimiters or warnings for embedded instructions.
  • Capability inventory: Full file system write access, gh repo clone, make, docker compose, gh pr create, and gh pr merge.
  • Sanitization: Absent; no escaping or validation of external log content before processing.
  • [REMOTE_CODE_EXECUTION]: The prerequisites check executes a remote installation script from a third-party source: bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)". While targeting a well-known service, this pattern downloads and executes code directly from the internet.
  • [COMMAND_EXECUTION]: The skill performs extensive system operations including starting the Docker daemon (open -a Docker), installing packages (brew install), cloning repositories (gh repo clone), and running arbitrary make targets and shell scripts.
  • [CREDENTIALS_UNSAFE]: The skill provides instructions to create a docker-compose.override.yml file containing a hardcoded secret: PROVISIONING_JWT_SECRET: "local-dev-jwt-secret-change-in-prod". Hardcoded secrets in instructions are a security risk if the configuration is used beyond a local development environment.
  • [EXTERNAL_DOWNLOADS]: The skill fetches external code and tools, specifically cloning repositories from the wendylabsinc organization on GitHub using the gh CLI and downloading the Homebrew installer.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 14, 2026, 05:06 PM
Security Audit — agent-trust-hub — wendy-cloud-iterate