qa
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes high-privilege shell commands including 'bash', 'curl', 'git', and the GitHub CLI ('gh') to interact with the repository and environment.
- [PROMPT_INJECTION]: Defines a 'Delegated' mode that explicitly instructs the agent to bypass standard interactive negotiation gates and proceed through task phases autonomously without user intervention.
- [PROMPT_INJECTION]: Exhibits a high vulnerability to indirect prompt injection. It ingests untrusted data from SPEC.md files, PR diffs, and external browser content (DOM, console, network) without sanitization or boundary markers, and uses this data to drive actions across powerful tools like 'bash' and 'curl'.
- [REMOTE_CODE_EXECUTION]: Explicitly directs the agent to generate and execute 'ad-hoc scripts' (Node.js, Python) and use REPL environments at runtime to verify application behavior.
- [DATA_EXFILTRATION]: Includes functionality to upload video recordings of browser automation sessions to an external third-party service (Bunny Stream).
- [EXTERNAL_DOWNLOADS]: Interacts with GitHub APIs via the 'gh' CLI and interacts with the Bunny Stream service for evidence storage.
Audit Metadata