improve
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes repository-specific scripts (e.g.,
node scripts/test-all.js) and performs full installation flows in temporary directories during the quality improvement cycle. This gives the agent the capability to execute any code defined within the target repository's scripts or build processes. - [EXTERNAL_DOWNLOADS]: During Phase 0 (Bootstrap) and Phase 3 (Attack), the skill utilizes tools like
/research-fleetand/researchto fetch data from the internet for competitive analysis. Additionally, the 'actual install flow' described in the documentation typically involves downloading external packages from public registries like NPM or PyPI. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
- Ingestion points: The agent reads repo files, research documents in
.planning/research/, and web content from research tools (SKILL.md). - Boundary markers: Absent. Evaluator agents are given personas but lack explicit instructions to disregard instructions embedded within the processed data.
- Capability inventory: The skill can execute subprocesses, commit file changes to the repository, and perform network operations via research tools (SKILL.md).
- Sanitization: Absent. There is no evidence of content filtering or sanitization of the target repository's data before it is presented to scoring evaluators.
- [SAFE]: The skill implements significant safety gates that mitigate its autonomous risks. It requires explicit human approval for rubric creation and 'Level-Up' transitions, adheres to a 'no self-approval' policy, and enforces the use of 'worktree' isolation for sub-agents to limit context leakage.
Audit Metadata