autoresearch
Fail
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The setup script and installation instructions in
SKILL.mdandscripts/setup.shuse a high-risk command pattern by piping a remote script directly to the shell (curl -LsSf https://astral.sh/uv/install.sh | sh). This is a common setup procedure for the well-knownuvpackage manager provided by Astral. \n- [COMMAND_EXECUTION]: The primary function of the skill is to allow an AI agent to autonomously edit thetrain.pyscript and then execute it viauv run. This design enables the execution of dynamically generated code based on external directives, constituting a major security surface. \n- [PROMPT_INJECTION]: The framework usesprogram.mdas the source of truth for the agent's research loop, which makes it vulnerable to indirect prompt injection. \n - Ingestion points: The agent reads research directives from
program.mdinSKILL.mdandscripts/run-loop.shto guide code changes intrain.py. \n - Boundary markers: No explicit delimiters or boundary instructions are used to prevent the agent from following malicious commands embedded in the
program.mdfile. \n - Capability inventory: The agent has access to
Bash,Read,Write,Edit,Glob,Grep, andWebFetchtools (as specified inSKILL.md), and the shell scripts execute potentially dangerous operations likegit resetanduv run. \n - Sanitization: There is no evidence of sanitization or safety checks performed on the directives sourced from
program.mdbefore they are used to generate executable Python code.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata