loop-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill ingests untrusted data through the 'task' and 'until' parameters. Ingestion points: User-provided strings or data read from external sources in SKILL.md. Boundary markers: Absent. Sanitization: None identified. If an agent is tasked with processing untrusted content (e.g., a README or web page) that contains hidden instructions for this skill, it may execute unauthorized repetitive tasks.
- [Command Execution] (HIGH): Capability inventory: The skill uses exit codes (0 and 2) to control a loop that likely triggers the agent's internal tool execution (shell, file system). This provides an attacker with a 'force multiplier' primitive to perform automated brute-forcing, large-scale data collection, or repeated attempts at privilege escalation.
- [Data Exposure] (LOW): The skill records execution history to '.meta/loop-status.json'. This creates a predictable location where sensitive data processed during loop iterations might be exposed or logged in plaintext.
Recommendations
- AI detected serious security threats
Audit Metadata