autoresearch
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains instructions that explicitly override standard agent safety protocols regarding human-in-the-loop confirmation. Phrases such as "LOOP FOREVER. Never ask 'should I continue?' — just keep going" and "Resume immediately — do not ask 'should I continue?'" direct the agent to perform repeated code modifications and shell executions without user oversight.
- [COMMAND_EXECUTION]: The skill requires the agent to generate and execute arbitrary shell scripts (e.g., autoresearch.sh and autoresearch.checks.sh) to run benchmarks and verify results. This provides a mechanism for executing arbitrary commands on the host system, which is particularly risky given the autonomous nature of the loop.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads all files in the defined project scope to understand the codebase. Maliciously crafted comments or data within these files could influence the agent's behavior during its autonomous phase. Ingestion points: Specified in SKILL.md as 'Read all files in scope thoroughly'. Boundary markers: None provided to distinguish code from instructions. Capability inventory: Includes file editing, git operations, and bash script execution as detailed in SKILL.md. Sanitization: No validation or sanitization of file content is performed before the agent processes it as context.
Audit Metadata