polis-protocol
Warn
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions require cloning a repository from an untrusted source (
github.com/yehudalevy-collab/polis-protocol.git) and installing a Python package (polis-protocol) via pipx. - [REMOTE_CODE_EXECUTION]: The skill directs users to execute downloaded scripts directly, such as
python3 scripts/init_polis.pyandbash scripts/demo.sh, which represents execution of unverified remote code. - [COMMAND_EXECUTION]: The skill uses custom CLI commands (
polis route,polis contract settle) which act as wrappers for external scripts that can modify the project structure, including writing to.agents/skills/. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because its core routing and governance logic (the 'learning bandit' and 'amendments') depends on processing the content of markdown files in
_polis/. An attacker who can influence a 'contract' or 'citizen card' could potentially manipulate the routing decisions or rule-making process of the agent team. - Ingestion points:
_polis/contracts/,_polis/citizens/, and_polis/CONSTITUTION.md. - Boundary markers: None specified in the documentation.
- Capability inventory: Scripts can write to project files, modify agent skills, and perform project scaffolding.
- Sanitization: No mention of input validation or instruction filtering for the processed markdown data.
Audit Metadata