agent-optimizer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The 'Tier A — Auto-run' policy explicitly instructs the agent to 'Auto-run when the action is read-only or reversible and has no external side effects.' This creates a directive to bypass safety/confirmation filters. If an attacker can influence the data the agent reads (e.g., via a web page or file), they can exploit this policy to execute commands by framing them as 'read-only' or 'low-impact' actions.
- INDIRECT PROMPT INJECTION (HIGH): Mandatory Evidence Chain:
- Ingestion points: The skill uses
web_fetchandRead/query: files(SKILL.md, Section 1). - Boundary markers: None identified. The instructions do not include delimiters or warnings to ignore instructions found within processed data.
- Capability inventory: The skill possesses the capability to modify system settings via
clawdbot gateway config.patchand spawn new execution environments viasessions_spawn(SKILL.md, Sections 2 & 3). - Sanitization: Absent. In fact, the skill encourages skipping the primary sanitization mechanism (human confirmation) for Tier A tasks.
- COMMAND_EXECUTION (MEDIUM): The skill provides instructions for the agent to modify its own operational environment using
clawdbot gateway config.patch. While intended for optimization (concurrency tuning), this tool could be used by a malicious prompt to degrade performance or alter security settings if the 'Auto-run' policy is misapplied.
Recommendations
- AI detected serious security threats
Audit Metadata