project-os
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill defines an autonomous loop where the agent is instructed to execute a chain of high-risk commands (
migrations apply,deploy,pnpm release) and 'smoke tests' (arbitrary commands/requests) upon seeing triggers like 'complete all'. Executing scripts defined within the managed project autonomously poses a risk if the project files are compromised or malicious. - PROMPT_INJECTION (LOW): The skill utilizes strong framing and persona-driven instructions in
AGENTS.template.mdto override the agent's default behavior, including a mandatory output prefix ([我严格遵守规则]) and an instruction to disregard 'development cost' in favor of 'optimal solutions.' - PROMPT_INJECTION (LOW): (Indirect) The system is vulnerable to indirect prompt injection because it dynamically ingests behavior-altering rules and commands from project files (
AGENTS.mdandcommands.md). An attacker who can influence the project repository could inject malicious rules that the agent would then adopt as its own operating instructions. - Ingestion points:
AGENTS.md,commands/commands.md - Boundary markers: Absent; the agent treats Markdown content as authoritative instructions.
- Capability inventory: Shell command execution via
pnpm,npm, deployment scripts, and arbitrary 'smoke tests' (command execution/network requests). - Sanitization: Absent; no escaping or validation of command contents is performed before execution.
- DATA_EXPOSURE (SAFE): While the documentation (
npm-release-process.md) describes where authentication tokens likeNPM_TOKENor.npmrcfiles are located for legitimate deployment purposes, it does not contain hardcoded secrets or logic to exfiltrate them.
Audit Metadata