infinite-dev
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill is installed using
npxfrom the author's GitHub repository. - [COMMAND_EXECUTION]: The
scripts/dev-agent.pyscript manages the autonomous development loop by executing shell commands via thesubprocessmodule. In 'Autopilot' mode, it spawnsclaudeprocesses with the--dangerously-skip-permissionsflag, which bypasses security prompts for tool execution. - [REMOTE_CODE_EXECUTION]: The 'Initializer' agent generates a shell script (
init.sh) based on the project specification provided by the user. The workflow then requires the agent to execute this dynamically created script. This allows for arbitrary code execution if the project specification contains malicious instructions. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it processes untrusted input from project specifications and source files to generate executable tasks and scripts.
- Ingestion points: Project specification files (e.g.,
app_spec.txt,spec.md) and the project's source code. - Boundary markers: Absent; no delimiters are used to separate user-provided content from instructions.
- Capability inventory:
subprocess.runandsubprocess.Popeninscripts/dev-agent.py; file writing for project initialization. - Sanitization: Absent; the generated
init.shandfeature_list.jsonare not sanitized or validated. - [PROMPT_INJECTION]: The system prompts in
SKILL.mdandAGENTS.mduse rigid, imperative language that could be exploited to bypass safety guardrails if the agent's context is poisoned by malicious project data.
Recommendations
- AI detected serious security threats
Audit Metadata