autonomous-opus-loop
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The scripts/install.sh script modifies the user's .claude/settings.json to install a persistent 'Stop' hook. This hook triggers the execution of local shell and Python scripts automatically upon task completion, creating a persistent autonomous loop mechanism.
- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). The prompt templates in templates/analyzer-prompts/ incorporate conversation transcripts without using security delimiters or sanitization. An attacker who can influence the transcript (e.g., via malicious content in a file the agent reads) could potentially manipulate the analyzer's decisions.
- Ingestion points: Conversation transcripts from transcript_path are read and processed by the analyzer.
- Boundary markers: Absent. Prompt templates (e.g., default.txt) directly interpolate transcript data without escaping or delimiters to separate it from system instructions.
- Capability inventory: The system manages an agent with Bash and Write capabilities, allowing injected instructions to potentially execute unauthorized commands or modify files.
- Sanitization: No sanitization of transcript content is performed before interpolation into analyzer prompts.
Audit Metadata