autoresearch
Warn
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes arbitrary shell commands provided by the user (the 'verify' and 'guard' commands) to measure metrics. It also explicitly instructs the agent to 'Never stop. Never ask' and 'Do not ask for confirmation,' suppressing standard human-in-the-loop safety protocols for high-risk operations.
- [REMOTE_CODE_EXECUTION]: The core logic involves an autonomous loop where the agent writes code changes and then executes them via the measurement commands. This autonomous write-and-execute cycle can be exploited if the agent's ideation process is compromised.
- [DATA_EXFILTRATION]: The skill performs automated 'git push' operations to remote repositories for both code changes and logs. This presents a risk of accidental exfiltration of sensitive information (e.g., credentials or environment variables) if they are within the research scope.
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because the agent's 'Review' and 'Ideate' phases rely on reading project files and experiment logs which could contain malicious instructions.
- Ingestion points: Project files, the
autoresearch-results.tsvlog, and git branch names. - Boundary markers: No delimiters or warnings are used to prevent the agent from obeying instructions found within the files it reviews.
- Capability inventory: Shell execution, file modification, and remote git operations (push/merge).
- Sanitization: No validation or sanitization is performed on the data ingested from the project environment before it influences the agent's next action.
Audit Metadata