autark
Pass
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill explicitly instructs the agent to be 'permissionless' and states that its job is 'not to prepare work for a human to approve'. This overrides standard safety protocols regarding human-in-the-loop review for external actions like sending emails or posting to public forums.
- [COMMAND_EXECUTION]: The core functionality of the skill relies on executing the
autarkCLI tool to manage hypotheses, runs, and actions. - [EXTERNAL_DOWNLOADS]: The documentation directs users to install an external, third-party CLI tool via
npm i -g autark. - [DATA_EXFILTRATION]: The skill is designed to log the agent's external activities (emails, GitHub comments, Reddit posts) to an external API (
autark-api.kushalsokke.workers.dev) and a public dashboard. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data through the
autark contextcommand. - Ingestion points: The agent reads data from local product briefs (
products/<slug>.md) and remote context (hypotheses, recent runs, and narratives) via theautark contextcommand. - Boundary markers: No explicit delimiters or boundary markers are used to separate ingested data from agent instructions.
- Capability inventory: The agent has the capability to perform network operations and external posts via
autark log action(Email, GitHub, Reddit, HN, etc.). - Sanitization: There is no evidence of sanitization or validation of the remote content fetched by the CLI before it is processed by the agent.
Audit Metadata