loop
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill implements a self-sustaining loop using a stop hook (hooks/stop-hook.sh) to intercept session exits and force the agent to continue. While this is the intended functionality, it acts as a persistence mechanism that bypasses the user's intent to terminate a session.
- [COMMAND_EXECUTION] (MEDIUM): The skill requires disabling safety permissions (--dangerously-skip-permissions) to operate autonomously. This allows the agent to execute shell commands and modify the filesystem without platform-enforced constraints or human oversight.
- [PROMPT_INJECTION] (LOW): Instructions like 'NEVER ask questions' and 'Ignore pre-existing changes' are used to override the agent's default interactive and safety behaviors to facilitate autonomous execution.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection via repository files (Docs/VERIFY.md, .dots/.md). An attacker modifying these files can inject instructions that the agent is explicitly told to execute. 1. Ingestion points: .dots/.md, Docs/VERIFY.md. 2. Boundary markers: Absent. 3. Capability inventory: Subprocess calls, file-write, and git operations across ALL scripts. 4. Sanitization: Absent.
Audit Metadata