recoup-platform-build-os

Warn

Audited by Gen Agent Trust Hub on Jul 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [PERSISTENCE_MECHANISMS]: The skill provides templates in assets/janitor-schedule.tmpl to establish persistent, periodic execution of agent tasks using GitHub Actions, cron, and macOS launchd. These are used to automate the 'janitor' maintenance skill.
  • [DYNAMIC_EXECUTION]: The workspace is designed to generate and execute its own logic at runtime. It creates a Python script (doctor.py) and authors new AI agent skills (plugin/skills/) as part of its 'skillify' and 'reflect' loops, which promote completed work into durable capabilities.
  • [INDIRECT_PROMPT_INJECTION]: The 'auto-manage loop' described in SKILL.md and assets/CLAUDE.md.tmpl ingests untrusted external data (transcripts, notes, and raw files) to automatically update the workspace's 'brain', knowledge base, and dashboard. There are no boundary markers or sanitization steps to prevent malicious instructions within that data from influencing the agent's behavior during the extraction and reconciliation process.
  • [COMMAND_EXECUTION]: The automation templates for GitHub Actions instruct the agent to run with high-autonomy flags (e.g., --permission-mode acceptEdits), which allows the agent to modify the repository and push changes without manual approval.
  • [DATA_EXFILTRATION]: While the skill integrations with the Recoup API are vendor-provided and legitimate for its purpose, the broad autonomous access to the filesystem and network (via recoup-platform-api-access) combined with the processing of untrusted data creates a potential path for data leakage if the agent is misled by injected content.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 1, 2026, 08:34 PM