alignfirst-coaching
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/alignfirst-agent.mjsscript usesnode:child_process.spawnSyncto execute theclaudeCLI tool. This is the primary mechanism for delegating tasks to a secondary coding agent. - [COMMAND_EXECUTION]: The orchestration script includes a conditional flag
--dangerously-skip-permissionsthat is activated by theALIGNFIRST_AGENT_SKIP_PERMISSIONSenvironment variable. This flag bypasses standard security prompts for file system and network access within the underlying agent environment. - [DATA_EXFILTRATION]: The skill records session inputs and outputs to a local directory specified by the
ALIGNFIRST_AGENT_LOG_DIRenvironment variable. These logs may contain sensitive information from the codebase or user messages and could be exposed if the directory permissions are not strictly managed. - [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by interpolating user-supplied messages into prompts for the downstream coding agent. This is documented in the
references/openclaw-playbook.mdtemplate system and the script's prompt construction logic. - Ingestion points: The
--messageargument inscripts/alignfirst-agent.mjsand the{{USER_REQUEST}}placeholder inreferences/openclaw-playbook.md. - Boundary markers: The playbook uses
<user_request>XML-style tags, but the script directly concatenates strings. - Capability inventory: File system access and shell command execution via the
claudeCLI and thespawnSynccall in the local script. - Sanitization: No explicit sanitization or escaping is performed on the user-provided message before it is passed to the next agent.
Audit Metadata