loop
Fail
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a bash script located at
~/.claude/plugins/pua/scripts/setup-pua-loop.sh. It passes the$ARGUMENTSvariable, which contains raw user input, directly to the shell command. This pattern is highly susceptible to command injection attacks. - [COMMAND_EXECUTION]: The skill is instructed to autonomously run
buildandtestcommands during each iteration cycle without requiring manual approval or user confirmation. - [PROMPT_INJECTION]: The skill contains instructions that override standard agent behavior by explicitly forbidding the use of the
AskUserQuestiontool and prohibiting the agent from expressing inability to solve a task. This creates a non-interactive autonomous loop that lacks human-in-the-loop safety checkpoints. - [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to indirect injection via external data.
- Ingestion points: Reads local project files and git logs (SKILL.md).
- Boundary markers: Absent.
- Capability inventory: Executes bash scripts, build processes, and test suites.
- Sanitization: No evidence of input validation or command escaping before execution.
Recommendations
- AI detected serious security threats
Audit Metadata