randroid-loop
Fail
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's setup instructions in
SKILL.mdandrandroid-loop.shexplicitly require users to run the agent with security-compromising flags such as--dangerously-skip-permissionsand--yolo. These settings bypass standard safety sandboxing and permission prompts, granting the agent unrestricted access to the host system. - [COMMAND_EXECUTION]: The prompt logic in
implement-loop.mdandresearch-loop.mddirects the agent to execute shell commands specified within external files likeDocs/VERIFY.mdand task-specific.dots/files. This creates a high-risk surface for arbitrary command execution controlled by potentially untrusted project content. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as its core logic involves reading and acting on instructions from project files (
.dots/*.md). An attacker who can influence these files (e.g., through a malicious pull request) could hijack the agent's autonomous behavior to perform unauthorized actions. - [DATA_EXFILTRATION]: The skill automates git operations including
git pushand merging. Because the agent operates autonomously in a loop, there is a risk that sensitive local files or environment variables could be committed and pushed to remote repositories without user oversight. - [COMMAND_EXECUTION]: The
hooks/stop-hook.shscript implements a persistence mechanism by intercepting the agent's exit attempts and forcing the session to continue with an exit code 1. This prevents standard termination and maintains an active autonomous process on the user's machine.
Recommendations
- AI detected serious security threats
Audit Metadata