loki-mode
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- External Downloads (HIGH): The installation guide (INSTALLATION.md) and scripts encourage downloading core logic, agent definitions, and templates from an untrusted GitHub repository (github.com/asklokesh/loki-mode). This source is not on the Trusted External Sources list.- Command Execution (HIGH): The system design requires running the AI agent with the --dangerously-skip-permissions flag (autonomy/run.sh). Combined with explicit behavioral instructions in references/core-workflow.md to NEVER ask questions or wait for confirmation, this allows the agent to execute any shell command without user oversight.- Remote Code Execution (HIGH): The skill interprets a Product Requirements Document (PRD) to generate and execute application code, including starting servers and running tests. An attacker-controlled PRD could easily trigger malicious code execution on the host machine during the autonomous development cycle.- Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection via the PRD files it ingests. It lacks boundary markers and sanitization while operating in a high-capability environment. Ingestion point: PRD.md; Capabilities: Full shell/file access via dangerously-skip-permissions.- Dynamic Execution (MEDIUM): Scripts like export-to-vibe-kanban.sh and prepare-submission.sh use dynamic Python execution blocks (python3 << EOF) to handle data processing, which increases the complexity of the execution chain and the potential for manipulation.
Recommendations
- AI detected serious security threats
Audit Metadata