ai-dev-loop
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONNO_CODE
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is inherently vulnerable to indirect prompt injection through its task-driven architecture.
- Ingestion points: Untrusted data is ingested from files in
.agents/TASKS/and.agents/PRDS/. - Boundary markers: Absent; the agent is instructed to read and implement the content of these files without delimiters or instructions to ignore embedded commands.
- Capability inventory: The agent is authorized to perform file writes, execute build/lint/test commands, and perform Git operations (branching and committing).
- Sanitization: Absent; there is no filtering or validation logic to prevent malicious instructions in the task files from being followed by the agent.
- COMMAND_EXECUTION (HIGH): The instructional framework requires the agent to execute arbitrary system commands for building, linting, and testing code. Because these commands are determined by the implementation logic derived from untrusted task files, this creates a significant execution risk.
- NO_CODE (LOW): No executable source code (Python, JavaScript, etc.) was provided for the underlying implementation of the loop; the security evaluation is based on the operational logic defined in the markdown instructions.
Recommendations
- AI detected serious security threats
Audit Metadata