autoresearch
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill contains directives that explicitly instruct the agent to bypass human confirmation steps during its autonomous experimentation cycle (e.g., "NEVER STOP. Once the loop starts, do not pause to ask the user if you should continue").\n- [COMMAND_EXECUTION]: The skill triggers host-level shell commands to interact with the user's environment, specifically using the
opencommand on macOS to launch a generated HTML dashboard in the browser.\n- [EXTERNAL_DOWNLOADS]: The generated dashboard script fetches the Chart.js library fromcdn.jsdelivr.net, which is a well-known and established content delivery network service.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing data from external sources that could contain malicious instructions.\n - Ingestion points: The agent reads the target
SKILL.mdfile, user-defined test inputs, and the generated outputs from the skill being optimized.\n - Boundary markers: The instructions fail to provide clear delimiters or guardrails to ensure that untrusted content from these sources is not interpreted as instructions by the agent.\n
- Capability inventory: The skill has permissions to read and write files (
results.json,dashboard.html), execute shell commands (open), and trigger browser-based network requests.\n - Sanitization: There is no logic provided to sanitize or escape data before it is interpolated into the agent's context or rendered in the HTML dashboard.
Audit Metadata