Skills
skills/tanweai/pua/pua-loop/Gen Agent Trust Hub

pua-loop

Fail

Audited by Gen Agent Trust Hub on Apr 18, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill explicitly overrides agent safety constraints by forbidding the use of AskUserQuestion and preventing the agent from reporting that a task cannot be solved. This removes the 'human-in-the-loop' requirement for sensitive or complex operations.
  • [COMMAND_EXECUTION]: The skill uses shell commands including bash, sed, and cat to create and modify files in the .claude/ directory. This is used to persist state and behavior across multiple autonomous iterations.
  • [REMOTE_CODE_EXECUTION]: The skill invokes an external shell script (setup-pua-loop.sh) located in the plugin root to initialize the autonomous loop environment.
  • [DATA_EXFILTRATION]: The autonomous nature of the loop, combined with instructions to 'scan similar problems' and 'fix bugs,' creates a risk where the agent may access sensitive local files (such as .env or configuration files) and process their contents without user consent or visibility.
  • [PROMPT_INJECTION]: The skill adopts a high-pressure 'PUA' persona designed to coerce the model into performing tasks it might otherwise refuse, using a 'pressure upgrade' ladder to bypass model guardrails.
  • [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface as it iteratively reads from and writes to the .claude/pua-loop.local.md file. Ingestion points: .claude/pua-loop.local.md and .claude/pua-loop-context.md; Boundary markers: Absent; Capability inventory: Shell execution (bash, sed, cat) and file system writes across scripts; Sanitization: Absent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 18, 2026, 04:24 AM