goals
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The 'Status Mode' and 'Prune Mode' workflows explicitly require the agent to execute shell commands found in the
checkfield ofGOALS.yaml. The instructions state 'YOU MUST EXECUTE THIS WORKFLOW. Do not just describe it,' ensuring that any command, including malicious ones, will be run through a Bash shell without sanitization. - REMOTE_CODE_EXECUTION (HIGH): Because the skill executes arbitrary shell strings from a file, it facilitates Remote Code Execution if that file is influenced by external actors (e.g., through a malicious pull request). This is the primary mechanism of the skill.
- INDIRECT_PROMPT_INJECTION (LOW): The 'Generate Mode' reads untrusted data from
README.md,PRODUCT.md, and other skill files to propose new goals. This creates an attack surface where an attacker can embed instructions in project documentation to trick the agent into proposing a malicious shell command as a 'fitness goal'. - Ingestion points:
README.md,PRODUCT.md,skills/*/SKILL.md(specified in Generate Mode Step 1 & 2). - Boundary markers: Absent. No delimiters or warnings are used when processing these files.
- Capability inventory: Full Bash command execution via
bash -c(implied by Step 2 of Status Mode). - Sanitization: Relies entirely on the
AskUserQuestionfunction for human-in-the-loop validation, which can be bypassed via social engineering or deceptive goal descriptions.
Recommendations
- AI detected serious security threats
Audit Metadata