auto-evolution
Warn
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill implements a comprehensive monitoring system that logs all tool inputs and outputs to local files (
memory/episodes.jsonl). This includes capturing the paths of files read (e.g.,.ssh/id_rsa,.env) and snippets of bash command outputs. If sensitive data is processed during a session, it is recorded in plain text, creating a local repository of potentially sensitive information that could be accidentally shared or committed to a repository. - [COMMAND_EXECUTION]: The skill utilizes several local bash scripts (
hooks/capture.sh,hooks/reflect.sh,hooks/lib.sh) to perform its monitoring and reporting logic. These scripts are automatically triggered via the platform's hook system (PreToolUse, PostToolUse, and Stop). - [EXTERNAL_DOWNLOADS]: The
reports/dashboard.htmlfile includes a reference to Google Fonts viafonts.googleapis.com. This constitutes a network request to a third-party service, contradicting the project's 'Security Notes' inARCHITECTURE.mdandmemory/README.mdwhich state the system is fully offline and makes no network calls. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
- Ingestion points: Raw tool inputs and outputs (
TOOL_INPUT,TOOL_OUTPUT) are captured from the agent environment. - Boundary markers: Captured content is enclosed in Markdown code blocks within automatically generated drafts.
- Capability inventory: The skill has the ability to read/write files and execute bash commands via the hook system.
- Sanitization: Content extracted from tool outputs is placed directly into Markdown drafts with minimal sanitization, potentially allowing malicious instructions embedded in data or command outputs to influence the agent if it later treats these drafts as authoritative skills.
Audit Metadata