loop-executor
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The agent is vulnerable to indirect prompt injection as it ingests and acts upon tasks defined in external files without sufficient validation.
- Ingestion points: Reads from plan.md and metadata.json to determine its execution path and task logic.
- Boundary markers: Absent. The instructions do not define delimiters to isolate task data from the agent's core operational logic, increasing the risk that a malicious task could override agent behavior.
- Capability inventory: The skill possesses high-impact capabilities including file system modification, Git commit operations, and code execution through its TDD workflow.
- Sanitization: Absent. There is no mention of sanitizing or escaping the content retrieved from the plan files before it is used to generate or verify code.
- [COMMAND_EXECUTION]: The skill's implementation of a Test Driven Development (TDD) workflow (RED/GREEN/REFACTOR) involves executing code and tests that it generates. While this is the primary purpose of the skill, it represents a capability for executing arbitrary logic defined in the input plan.
Audit Metadata