loop-fixer
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes instructions from external evaluation reports without sanitization.
- Ingestion points: The agent uses
read_fileto ingest evaluation reports from other agents (SKILL.md). - Boundary markers: No delimiters or "ignore embedded instructions" warnings are specified for the ingested content.
- Capability inventory: The skill performs file writes (
write_fileforplan.md,metadata.json) and shell operations (git commits and fix execution mentioned in SKILL.md). - Sanitization: No escaping or validation is performed on the extracted fix instructions.
- [COMMAND_EXECUTION]: The workflow involves executing shell commands to implement fixes and perform git commits ("Commit after each fix"), deriving actions from potentially untrusted task lists.
- [PROMPT_INJECTION]: Instructions explicitly command the agent to "NEVER ask user" when the fix cycle limit is reached, which reduces human oversight during critical project state transitions.
Audit Metadata