Skills
skills/doyoonear/skills-and-agents/autonomous-agent/Gen Agent Trust Hub

autonomous-agent

Warn

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill is designed to execute arbitrary shell commands and manage background processes.
  • Evidence: The init-script.sh and prompts/coding.md files contain instructions to run pnpm dev &, pnpm test, and kill $(lsof -t -i:3000).
  • Context: The agent is granted the ability to start and stop services and run tests autonomously.
  • [EXTERNAL_DOWNLOADS]: The skill automatically triggers the installation of third-party dependencies through standard package managers.
  • Evidence: templates/init-script.sh contains conditional logic to run pnpm install or npm install if node_modules is missing.
  • Context: While using standard registries, the specific packages installed are determined by the agent during project initialization, creating a surface for supply chain risks if the agent's logic is subverted.
  • [REMOTE_CODE_EXECUTION]: The skill follows a pattern where the agent generates executable scripts and then immediately runs them.
  • Evidence: prompts/initializer.md instructs the agent to create init.sh, which is subsequently executed in prompts/coding.md and SKILL.md.
  • Context: This creates a direct path for executing code that the AI generates at runtime.
  • [PROMPT_INJECTION]: The skill uses a 'Stop Hook' pattern to create an autonomous loop, which could be used to maintain persistent agent activity.
  • Evidence: SKILL.md and prompts/coding.md include instructions like "3 seconds later, start the next feature..." and "3초 후 Coding Agent를 시작합니다...".
  • Context: This behavior instructs the agent to re-trigger itself without user intervention, potentially bypassing interactive safety boundaries.
  • [INDIRECT_PROMPT_INJECTION]: The agent's task list is generated from external user specifications, creating a surface for indirect instructions.
  • Ingestion points: User requests are processed by the Initializer Agent to create the feature_list.json file (found in templates/feature-list.json).
  • Boundary markers: None. There are no delimiters or instructions to ignore embedded commands within the feature_list.json content.
  • Capability inventory: The agent can execute shell commands (pnpm), write files, and commit to Git (prompts/coding.md).
  • Sanitization: None. The agent directly implements descriptions found in the JSON file without validation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 6, 2026, 06:38 AM