agent-native-architecture
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION] (HIGH): The documentation in 'references/refactoring-to-prompt-native.md' explicitly recommends removing security boundaries for file access, stating 'Agent can read anything' and removing path validation in the 'read_file' tool.
- [REMOTE_CODE_EXECUTION] (HIGH): 'references/self-modification.md' describes a 'Self-Modification' pattern where the agent is empowered to pull code from remote Git repositories, run build commands ('npm run build'), and restart itself.
- [COMMAND_EXECUTION] (HIGH): The skill provides patterns for arbitrary command execution via 'runCommand' and 'runGit' to facilitate self-deployment and environment modifications in 'references/self-modification.md'.
- [PROMPT_INJECTION] (LOW): This skill defines an indirect prompt injection surface. Evidence: 1. Ingestion points: 'references/dynamic-context-injection.md' (ingests library books/user profiles) and 'references/system-prompt-design.md' (ingests Discord messages). 2. Boundary markers: Headers like '## Library' are suggested, but no strict delimiters or 'ignore embedded instructions' warnings are present. 3. Capability inventory: 'read_file', 'write_file', 'git_push', 'self_deploy', and 'restart' are available tools. 4. Sanitization: No sanitization or validation of the untrusted external content is implemented.
- [DATA_EXFILTRATION] (MEDIUM): 'references/dynamic-context-injection.md' suggests injecting sensitive user profile data and activity logs directly into the prompt context.
Recommendations
- AI detected serious security threats
Audit Metadata