agent-native-architecture
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The documentation encourages the implementation of a
bashtool primitive to provide agents with environment access, as seen inSKILL.mdandreferences/from-primitives-to-domain-tools.md. - [PROMPT_INJECTION]: The architecture is designed to have agents process untrusted data from sources such as external messaging platforms (Discord) or shared user-editable files, creating a vulnerability surface for indirect prompt injection.
- Ingestion points:
references/architecture-patterns.md(Discord messages),references/shared-workspace-architecture.md(Shared file workspace). - Boundary markers: The skill relies on natural language instructions in system prompts to define boundaries rather than technical enforcement.
- Capability inventory:
SKILL.md(bash),references/mcp-tool-design.md(store_item,call_api,send_message),references/self-modification.md(git_push,write_file,restart). - Sanitization: The skill advocates for human-in-the-loop "Approval Gates" for dangerous operations (
references/architecture-patterns.md) and basic path validation for file tools (references/shared-workspace-architecture.md). - [COMMAND_EXECUTION]: The "Self-Modification" pattern enables agents to edit their own source code and trigger rebuilds and system restarts, which provides a mechanism for persistence or privilege escalation if the agent's logic is compromised (found in
references/self-modification.md).
Audit Metadata