aif-loop
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill dynamically generates bash commands from the user-provided 'task prompt' and 'criteria rules' during the PREPARE phase. These commands are subsequently executed in the EVALUATE phase via the Task and Bash tools, allowing for arbitrary code execution.
- [COMMAND_EXECUTION]: The skill explicitly uses the Bash tool to run executable checks (compile, lint, test) as part of its core evaluation logic.
- [PROMPT_INJECTION]: The skill contains a 'Step 0' instruction that mandates project-level overrides from
.ai-factory/skill-context/aif-loop/SKILL.md. It explicitly states that these external rules 'win' over the skill's internal instructions, providing a direct mechanism for instruction bypass. - [DATA_EXPOSURE]: The skill reads several files from the workspace, including
.ai-factory/DESCRIPTION.md,ARCHITECTURE.md, andRULES.md, which may expose sensitive architectural or operational details to the agent context. - [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: The skill reads untrusted data from multiple files in the
.ai-factorydirectory during initialization. - Boundary markers: No delimiters or warnings are used to separate ingested content from the system instructions.
- Capability inventory: The skill has high-privilege capabilities including Bash execution, Task spawning, and file write/edit permissions.
- Sanitization: There is no evidence of sanitization or validation of the 'check' instructions before they are converted into executable shell commands.
Recommendations
- AI detected serious security threats
Audit Metadata