skill-autoresearch
Warn
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute "experiments" as described in Step 4 and 5. This involves running the logic of a target skill multiple times to benchmark performance and score outputs. - [EXTERNAL_DOWNLOADS]: The
WebFetchtool is explicitly enabled in the frontmatterallowed-tools. While the instructions primarily focus on local file manipulation, the inclusion of network access tools alongside command execution capabilities increases the risk of remote code or data being fetched and processed at runtime. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because its primary purpose is to ingest and act upon untrusted external data.
- Ingestion points: The skill reads the target
SKILL.mdfile, its linked reference files, user-provided test inputs, and binary evaluation criteria. - Boundary markers: Absent. The skill does not implement delimiters or specific instructions to ignore embedded commands within the target content.
- Capability inventory: The skill has access to
Bash,Write,Edit,Read, andWebFetchacross its scripts. - Sanitization: Absent. There is no evidence of validation or sanitization of the content of the target skill before it is executed or mutated.
- [COMMAND_EXECUTION]: The "Mutation Loop" (Step 5) facilitates dynamic execution where the agent programmatically edits instructions and then executes them to measure pass rates. This self-modifying instruction loop allows for runtime changes to logic, which could be exploited if the target skill contains instructions designed to pivot the agent's behavior during the optimization phase.
Audit Metadata