autonomous-loops
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill describes patterns where external data (e.g.,
task.md,spec.md,SHARED_TASK_NOTES.md) is ingested and interpolated directly into agent prompts using shell commands like$(cat file). This creates a surface for indirect prompt injection if those files contain malicious instructions. - Ingestion points:
SKILL.mdprovides templates usingcatto read task descriptions and specifications into the prompt context. - Boundary markers: The provided script snippets lack explicit delimiters or instructions to ignore embedded commands within the ingested content.
- Capability inventory: The loops have significant capabilities including file system writes, shell command execution (via
bun/npm test), and Git operations. - Sanitization: No sanitization or validation of the ingested file content is performed in the example implementation patterns.
- [COMMAND_EXECUTION]: The implementation examples utilize shell scripts to orchestrate the workflow, executing CLI tools such as
claude,git, and test runners (bun,npm). While these are standard for developer-centric autonomous workflows, they represent a significant capability that should be executed within a sandboxed environment.
Audit Metadata