autopilot
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The autopilot process relies on reading context from external files like
atris/MAP.mdandatris/TODO.md. This represents a vulnerability where malicious instructions placed in these files by an attacker could compromise the autonomous agent's behavior in subsequent loop iterations. - Ingestion points: The contents of
atris/MAP.mdandatris/TODO.mdare ingested by the agent during each loop iteration (as defined inatris-autopilot.mdand referenced inhooks/stop-hook.sh). - Boundary markers: Absent; the hook script and instruction files do not use clear delimiters (e.g., XML tags or special tokens) to separate untrusted file content from system instructions.
- Capability inventory: The agent has full capability to execute shell commands, modify project files, and commit changes to fulfill its autonomous tasks.
- Sanitization: No sanitization or verification of the external file content is performed before it is provided to the agent as context.
Audit Metadata