Skills
skills/davebcn87/pi-autoresearch/autoresearch-hooks/Gen Agent Trust Hub

autoresearch-hooks

Warn

Audited by Gen Agent Trust Hub on Apr 29, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill's core functionality is the execution of arbitrary bash scripts (before.sh and after.sh) at iteration boundaries. The documentation instructs the agent to create these scripts, modify them, and grant them executable permissions (chmod +x), allowing them to run with the user's local privileges.
  • [PROMPT_INJECTION]: The stdout of hook scripts is automatically delivered to the agent as a 'steer message' for the next turn. This creates an indirect prompt injection surface because the examples process data from the workspace (like autoresearch.md or autoresearch.ideas.md) and output it without sanitization or boundary markers.
  • Ingestion points: Reads from files including autoresearch.jsonl, autoresearch.md, and autoresearch.ideas.md.
  • Boundary markers: Absent; hook output is printed directly to stdout and consumed by the agent.
  • Capability inventory: Includes access to git, osascript, bash, and external CLI tools.
  • Sanitization: None; extracted text from files is passed to the agent's context via stdout.
  • [DATA_EXFILTRATION]: Example scripts such as external-search.sh and hypothesis-reflection.sh demonstrate patterns for sending session data, such as agent notes and research hypotheses, to external search APIs and LLM providers via CLI tools.
  • [COMMAND_EXECUTION]: The macos-notify.sh example utilizes osascript to trigger system notifications. While used for a benign purpose in the example, osascript is a powerful utility that can be abused to control macOS applications and system settings.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 29, 2026, 03:21 PM