alignfirst-coaching

Warn

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/alignfirst-agent.mjs script uses node:child_process.spawnSync to execute the claude CLI tool. This is the primary mechanism for delegating tasks to a secondary coding agent.
  • [COMMAND_EXECUTION]: The orchestration script includes a conditional flag --dangerously-skip-permissions that is activated by the ALIGNFIRST_AGENT_SKIP_PERMISSIONS environment variable. This flag bypasses standard security prompts for file system and network access within the underlying agent environment.
  • [DATA_EXFILTRATION]: The skill records session inputs and outputs to a local directory specified by the ALIGNFIRST_AGENT_LOG_DIR environment variable. These logs may contain sensitive information from the codebase or user messages and could be exposed if the directory permissions are not strictly managed.
  • [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by interpolating user-supplied messages into prompts for the downstream coding agent. This is documented in the references/openclaw-playbook.md template system and the script's prompt construction logic.
  • Ingestion points: The --message argument in scripts/alignfirst-agent.mjs and the {{USER_REQUEST}} placeholder in references/openclaw-playbook.md.
  • Boundary markers: The playbook uses <user_request> XML-style tags, but the script directly concatenates strings.
  • Capability inventory: File system access and shell command execution via the claude CLI and the spawnSync call in the local script.
  • Sanitization: No explicit sanitization or escaping is performed on the user-provided message before it is passed to the next agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 17, 2026, 01:36 PM
Security Audit — agent-trust-hub — alignfirst-coaching