dual-loop
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: Several agent personas include tools for fetching external web content (WebFetch, WebSearch) in combination with powerful local capabilities such as file modification (Write, Edit) and shell command execution (Bash).
- Ingestion points: External content is ingested via the WebFetch tool in personas such as personas/data-ai/ai-engineer.md and personas/quality-testing/qa-expert.md.
- Boundary markers: The persona instructions do not define explicit boundary markers or instructions to isolate untrusted web data.
- Capability inventory: Agents have access to Bash (shell execution) and Write/Edit (filesystem modification) tools.
- Sanitization: Instructions in files like ai-engineer.md mention a 'Security First' philosophy and 'Sanitize inputs and outputs' as general guidelines.
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The documentation provides configurations for several external Model Context Protocol (MCP) servers to be installed via npx.
- Evidence: personas/README.md recommends packages including @modelcontextprotocol/server-sequential-thinking, @upstash/context7-mcp, and @playwright/mcp.
- Status: These resources originate from well-known technology companies and trusted organizations (Model Context Protocol, Upstash, Microsoft) and are considered standard tooling within the agent ecosystem.
Audit Metadata