Algorithm
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection. 1. Ingestion points: The OBSERVE phase reads the local codebase, external documentation, and search results (SKILL.md, Executealgorithm.md). 2. Boundary markers: No delimiters or ignore instructions are present. 3. Capability inventory: The skill has access to Bash execution, file writing, and subagent orchestration (Capabilities.yaml). 4. Sanitization: No sanitization or validation of ingested content is performed. This allows malicious data in analyzed files to hijack the agent's logic.
- Command Execution (HIGH): The EXECUTE phase uses Bash and file-writing tools to implement plans. Since these plans are derived from untrusted inputs gathered in the OBSERVE phase, an attacker could gain arbitrary command execution by placing malicious instructions in a file the agent is likely to read.
- Remote Code Execution (MEDIUM): The integration of external research agents (Perplexity) and browser tools to fetch data that influences an iterative execution loop (ralph_loop) creates a path for remote web content to influence local system execution.
Recommendations
- AI detected serious security threats
Audit Metadata