autoresearch
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocess.runto execute standard development toolchains (e.g.,cargo,pytest,npm,go,git) based on the detected project stack. These commands are integral to the skill's purpose of automating build, test, and lint cycles during autonomous research. - [EXTERNAL_DOWNLOADS]: In
scripts/eval_gen.py, the skill optionally connects tohttps://api.exa.ai/searchto fetch adversarial testing pattern hints. Exa is a well-known service, and the retrieved data is used only as informative comments in the generated evaluation scripts. - [DATA_EXFILTRATION]: The skill includes a security-conscious
claude_env()function inscripts/runner_template.pythat explicitly removes theANTHROPIC_API_KEYfrom the environment before invoking sub-processes. This prevents the accidental exposure or usage of the user's API keys during autonomous execution. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests repository content (such as project files and git logs) into the context for the next improvement step.
- Ingestion points: Repository files including
program.md,results.tsv, andgit logoutput are read and interpolated into prompts inscripts/runner_template.py. - Boundary markers: The skill uses markdown headers as delimiters to distinguish ingested repository content within its internal prompts.
- Capability inventory: The skill has the capability to modify repository files and execute commands via
claude -pusing the high-privilege--dangerously-skip-permissionsflag, which is documented as necessary for its autonomous functionality. - Sanitization: Ingested repository content is interpolated into prompt templates without explicit sanitization, relying on the agent's internal safety guardrails.
Audit Metadata