autopilot
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Instruction Override. The
autopilot-keep-running.shstop hook returns instructions to the agent such as "Continue from where you left off" and "Do not ask whether to continue," which serve to override the agent's standard autonomous decision-making regarding task completion. - [COMMAND_EXECUTION]: Bash Tool Usage. The
/autopilot_resetcommand defined intemplates/commands/autopilot_reset.mdprovides Bash script templates for the agent to execute, which perform file operations in the/tmpdirectory to manage autopilot session state. - [PROMPT_INJECTION]: Indirect Injection Surface. The skill aggregates session identifiers from hook inputs without performing validation, creating a potential surface for indirect manipulation.
- Ingestion points: The
templates/hooks/session-start.shscript extracts thesession_idfrom hook input JSON and persists it to a local file. - Boundary markers: None are implemented to delimit or validate the session identifier.
- Capability inventory: The slash command
/autopilot_resetuses the stored identifier in Bash commands (rm,touch) to manage state files. - Sanitization: There is no validation or escaping of the session identifier before it is used in shell commands, which could allow for path traversal within the temporary directory if a malicious identifier is provided by the environment.
Audit Metadata