researcher
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to autonomously execute arbitrary shell commands defined as 'measure' or 'run' commands. This includes running complex chains and creating helper scripts in the
.lab/bin/directory using tools likeawk,jq, andpython -c. - [PROMPT_INJECTION]: The instructions utilize imperative language such as 'Non-negotiable rules' and '' tags to enforce autonomous behavior and minimize user intervention, which can override default agent safety or interaction protocols.
- [INDIRECT_PROMPT_INJECTION]: The skill possesses a significant attack surface because it evaluates untrusted project data to drive its autonomous actions.
- Ingestion points: Reads all files within the defined research scope, as well as project-level metadata and ecosystem-specific rules.
- Boundary markers: Absent; there are no instructions to delimit or ignore potential malicious instructions embedded within the files being researched.
- Capability inventory: Full autonomous git management (
git reset --hard,git commit,git checkout), file system writes (modifying ignore files), and execution of arbitrary shell commands. - Sanitization: Absent; the agent executes measure and run commands derived from the environment without sanitization.
- [DATA_EXPOSURE]: The 'Token Hygiene' feature involves modifying ecosystem-specific context management files (like
.claudeignoreor.cursorrules). This capability could be used to manipulate which project files are visible to the agent, potentially leading to the exposure of sensitive data or the concealment of malicious files.
Audit Metadata