autoresearch

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses subprocess.run to execute standard development toolchains (e.g., cargo, pytest, npm, go, git) based on the detected project stack. These commands are integral to the skill's purpose of automating build, test, and lint cycles during autonomous research.
  • [EXTERNAL_DOWNLOADS]: In scripts/eval_gen.py, the skill optionally connects to https://api.exa.ai/search to fetch adversarial testing pattern hints. Exa is a well-known service, and the retrieved data is used only as informative comments in the generated evaluation scripts.
  • [DATA_EXFILTRATION]: The skill includes a security-conscious claude_env() function in scripts/runner_template.py that explicitly removes the ANTHROPIC_API_KEY from the environment before invoking sub-processes. This prevents the accidental exposure or usage of the user's API keys during autonomous execution.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests repository content (such as project files and git logs) into the context for the next improvement step.
  • Ingestion points: Repository files including program.md, results.tsv, and git log output are read and interpolated into prompts in scripts/runner_template.py.
  • Boundary markers: The skill uses markdown headers as delimiters to distinguish ingested repository content within its internal prompts.
  • Capability inventory: The skill has the capability to modify repository files and execute commands via claude -p using the high-privilege --dangerously-skip-permissions flag, which is documented as necessary for its autonomous functionality.
  • Sanitization: Ingested repository content is interpolated into prompt templates without explicit sanitization, relying on the agent's internal safety guardrails.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 04:39 PM
Security Audit — agent-trust-hub — autoresearch