Skills
skills/different-ai/zero-finance/self-improve/Gen Agent Trust Hub

self-improve

Fail

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides numerous examples and templates for executing shell commands using Bun.$, osascript, and direct bash snippets. These are used for system notifications, file management, and dependency installation.
  • [REMOTE_CODE_EXECUTION]: The skill instructs the agent to install and execute external code via pnpm install and npx. Specifically, it suggests using npx -y mcp-remote and @scope/mcp-server-name to extend capabilities with unverified external packages.
  • [PROMPT_INJECTION]: The skill contains recursive instructions ('Self-Improvement Triggers') that command the agent to update its own instructions, prompts, and documentation. This creates a mechanism where external input can influence and overwrite the agent's core operating guidelines.
  • [DATA_EXFILTRATION]: The skill specifies access to sensitive environment files (.env.local) and workspace configurations. It combines this with curl usage examples, creating a risk surface for potential data exposure if the agent is directed to send these local secrets to external endpoints.
  • [DYNAMIC_EXECUTION]: The skill defines a system for generating and loading TypeScript plugins (.opencode/plugin/*.ts) and tools (.opencode/tool/*.ts) at runtime. There is no evidence of validation or sandboxing for the code being generated, allowing for the execution of arbitrary logic derived from untrusted session data.
  • [DATA_EXFILTRATION]: The skill exhibits an attack surface for indirect prompt injection by ingesting data from Notion, web crawling (Exa), and browser automation (Chrome DevTools).
  • Ingestion points: External data is fetched via notion_*, exa_*, and chrome_* tools.
  • Boundary markers: The instructions do not define delimiters or protective warnings to prevent the agent from obeying instructions embedded in this external data.
  • Capability inventory: The agent possesses extensive file-write capabilities (mkdir, touch) and code execution tools (Bun.$, npx).
  • Sanitization: There is no mention of escaping or validating external content before it is used to 'improve' or update the agent's local skills and scripts.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 5, 2026, 02:30 AM