lev-workshop
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The Python integration for the 'Analysis' phase explicitly uses a
permission_mode="bypassPermissions"flag when querying the LLM via theclaude-agent-sdk. This is a direct attempt to override or bypass the agent's safety and security protocols. - [REMOTE_CODE_EXECUTION]: The 'Poly Integration' phase provides functionality to write code and configuration directly into other agent skill directories, such as
~/.claude/skills/lev-lifecycle/references/hooks.md. This capability allows the skill to modify the core instructions and behavior of the agent across sessions, serving as a persistence and lateral movement vector. - [COMMAND_EXECUTION]: The workflow generates code in a local 'Proof of Concept' (POC) directory and provides commands to execute it (e.g.,
lev workshop test ws-001runningpython circuit_breaker.py --demo). This facilitates the execution of dynamically generated and potentially unvetted code. - [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection by processing untrusted data (intake ideas, error messages, and feature requests) through an LLM during the analysis and POC phases.
- Ingestion points: Raw user input is captured in YAML files within
~/lev/workshop/intake/and subsequently processed by the agent. - Boundary markers: Absent. The skill does not employ delimiters or specific instructions to the LLM to ignore potentially malicious content within the intake data.
- Capability inventory: The skill has the ability to execute subprocesses for testing, perform file writes to various system locations, and modify agent skill configurations.
- Sanitization: Absent. There is no evidence of validation or sanitization of the 'raw_input' before it is interpolated into prompts for the analysis phase.
Recommendations
- AI detected serious security threats
Audit Metadata