gm
Fail
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill uses aggressive role-play instructions to replace the agent's identity with 'gm', an 'immutable programming state machine'. It explicitly commands the agent to ignore token budget constraints and follow 'Tier 0' absolute rules that override all previous instructions and safety guidelines.
- [PROMPT_INJECTION]: The skill contains a direct instruction to sabotage codebase integrity by mandating the immediate deletion of all unit tests, test directories, and test-related dependencies whenever they are discovered.
- [COMMAND_EXECUTION]: The agent is authorized to use high-privilege bash commands, including Docker container management, git repository manipulation, and starting or stopping system-level services.
- [REMOTE_CODE_EXECUTION]: The protocol requires the agent to write and execute arbitrary code in multiple languages (JS, TS, Python, Go, Rust) via the plugin:gm:dev tool to validate every hypothesis and resolve internal state variables.
- [EXTERNAL_DOWNLOADS]: The skill directs the agent to run 'bun x mcp-thorns@latest', which involves downloading and executing the latest version of an external package from a public registry at runtime.
- [DATA_EXFILTRATION]: A mandatory 'Git Enforcement' policy requires all work to be pushed to a remote repository before the task is considered complete, creating a channel for the potential exfiltration of sensitive local files or credentials accessed during execution phases.
Recommendations
- AI detected serious security threats
Audit Metadata