moai-workflow-loop
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill implements an automated feedback loop susceptible to Indirect Prompt Injection. Ingestion points: Diagnostic messages from LSP servers and AST-grep structural scans in
post_tool__lsp_diagnostic.py. Boundary markers: None documented; tool outputs are passed to the agent without isolation. Capability inventory: UsesBash,Write, andEdittools to apply automated fixes. Sanitization: No sanitization is mentioned, allowing malicious source code to trigger specific 'error messages' that contain instructions the agent might follow during the loop. - [COMMAND_EXECUTION] (HIGH): The
/moai:loopand/moai:alfredcommands automate tool use viaBash. If the loop's logic is influenced by poisoned diagnostics, the agent may execute arbitrary shell commands. - [REMOTE_CODE_EXECUTION] (MEDIUM): The skill's functionality is dependent on Python hook scripts (
post_tool__lsp_diagnostic.py,stop__loop_controller.py) and configuration files (ralph.yaml) stored within the project directory. Loading and executing these from an untrusted project directory allows for the execution of arbitrary code.
Recommendations
- AI detected serious security threats
Audit Metadata