evolving-ai-agents
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The framework's default evolution engine (AEvolveEngine) is designed to provide the evolution LLM with "full bash tool access to the workspace." This allows the model to execute arbitrary shell commands on the host to analyze performance and modify files.
- [REMOTE_CODE_EXECUTION]: The framework supports "LLM-driven workspace mutation," specifically enabling the evolution engine to write new Python tool implementations to the filesystem using the
AgentWorkspace.write_toolmethod. These generated tools are subsequently loaded and executed by the agent, constituting a dynamic code execution pattern. - [DATA_EXFILTRATION]: Because the evolution engine possesses direct filesystem access and network capabilities (via LLM provider APIs), there is a risk that sensitive agent state, including episodic memories and tool code, could be exfiltrated if the evolver is manipulated.
- [PROMPT_INJECTION]: The skill is inherently susceptible to indirect prompt injection (Category 8). It ingests untrusted data from benchmark tasks which are then analyzed by an LLM to determine how to mutate the agent's core instructions and tools.
- Ingestion points: Untrusted benchmark data enters the system through
BenchmarkAdapter.get_tasks()and is processed in the evolution loop via JSONL observation files. - Boundary markers: No specific delimiters or instruction-ignore markers for the observation data are documented.
- Capability inventory: The evolution engine has the capability to write to the filesystem (
write_prompt,write_skill,write_tool) and execute shell commands (bashtools). - Sanitization: The documentation does not specify any sanitization or validation of observation data before it is provided to the evolution engine for mutation planning.
Audit Metadata