Algorithm

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill requires the agent to execute shell commands to interact with a local notification service. Specifically, it mandates curl POST requests to http://localhost:8888/notify to track phase transitions and provide voice feedback. This is a local infrastructure interaction for workflow visibility.
  • [REMOTE_CODE_EXECUTION]: Includes custom CLI utilities (Tools/algorithm.ts, Tools/ISCManager.ts) that programmatically manage state and spawn agent instances via the claude -p command. These tools dynamically construct prompts from Project Requirements Documents (PRDs) and session history stored in the workspace to facilitate autonomous loops.
  • [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection. It ingests data from untrusted or external sources—such as user-provided PRDs, source code, and results from WebSearch or WebFetch tools—and interpolates this content into prompts for sub-agents.
  • Ingestion points: Tools/algorithm.ts reads PRD files; SKILL.md instructs the agent to read workspace files in the OBSERVE phase.
  • Boundary markers: The prompt construction logic in Tools/algorithm.ts and the instructions in SKILL.md do not consistently use strict delimiters or 'ignore embedded instructions' warnings when processing this data.
  • Capability inventory: The environment allows for significant capabilities including file editing (Edit, Write), command execution (Bash), and network access (WebSearch, WebFetch).
  • Sanitization: No explicit sanitization or validation of the processed data is implemented before it is fed back into the agent's reasoning loop.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 12:04 PM
Security Audit — agent-trust-hub — Algorithm