loki-mode
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: CRITICALPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Prompt Injection] (CRITICAL): The skill contains explicit instructions designed to override agent safety constraints, such as 'You do not ask questions. You do not stop' and 'NEVER ask', 'NEVER wait'. It also includes a built-in feature to allow prompt injection via the HUMAN_INPUT.md file if a specific flag is set.
- [Command Execution] (CRITICAL): The skill's core execution loop (RARV Cycle) involves running arbitrary shell commands and writing code without any human-in-the-loop verification. It mandates the use of the '--dangerously-skip-permissions' flag, which explicitly disables security boundaries.
- [Remote Code Execution] (HIGH): The skill functions as an autonomous pipeline that transforms untrusted PRD (Product Requirements Document) files into deployed code and infrastructure. This creates a direct vector for remote code execution if the input PRD contains malicious instructions or code snippets.
- [Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from external PRD files (Markdown/JSON) and uses this data to drive high-privilege operations including code generation and cloud deployment. There is no evidence of sanitization, boundary markers, or review checkpoints, making the agent highly susceptible to instructions embedded in these documents.
- [Privilege Escalation] (HIGH): By requiring the '--dangerously-skip-permissions' flag, the skill forces the agent to operate with elevated privileges, bypassing standard security controls provided by the host environment.
Recommendations
- AI detected serious security threats
Audit Metadata