looping-tasks
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The generated
loop.shscript executes theclaudeCLI with the--dangerously-skip-permissionsflag.\n - Evidence: Found in
SKILL.mdwithin the bash script template:claude -p $SESSION_FLAG --model opus --dangerously-skip-permissions < "$PROMPT_FILE".\n - Impact: This flag bypasses manual confirmation for high-risk operations such as file modifications and shell command execution, allowing the agent to operate autonomously without a human-in-the-loop.\n- [DATA_EXFILTRATION]: The generated script automatically performs a
git pushto the remote repository after completion or iteration.\n - Evidence: Found in
SKILL.md:git push origin "$BRANCH" 2>/dev/null || git push -u origin "$BRANCH" 2>/dev/null.\n - Impact: In an autonomous loop, any data exfiltration or malicious code injection resulting from a prompt injection could be automatically synchronized to the remote origin before a user has a chance to review the changes.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it is designed to ingest and act upon data from project files.\n
- Ingestion points:
IMPLEMENTATION_PLAN.md,CLAUDE.md, and.claude/handoff.md.\n - Boundary markers: The prompt instructs the agent to treat these files as "DATA" and disregard instructions within them.\n
- Capability inventory: The agent has full file-system access and shell execution capabilities via the high-privilege
claudeCLI invocation.\n - Sanitization: None. The raw content of external files is provided directly to the agent.\n
- Impact: Malicious instructions embedded in the implementation plan or other documentation could potentially bypass instructions and control the agent's behavior, leading to unauthorized actions.
Audit Metadata