simulation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION] (MEDIUM): The skill defines configuration parameters for
auto_pushandgit_remoteinSKILL.md. While these are intended for a 'Git Time Machine' feature to enable undo/redo functionality, they represent a high-risk exfiltration vector. An attacker could use theSET GIT REMOTEcommand to point to a malicious server and enableauto_pushto exfiltrate the simulation state or other files in the directory. - [DATA_EXFILTRATION] (LOW): The
transcript_pathparameter inSKILL.mdallows the agent to specify where session logs are written (e.g.,./README.md,./logs/session-log.md). If path sanitization is not strictly enforced by the agent framework, this could be exploited to overwrite sensitive files or write data to locations outside the intended simulation directory. - [COMMAND_EXECUTION] (LOW): The skill documentation mentions several commands (
TICK,REWIND,BRANCH,MERGE) that imply underlying shell or Git execution. While these are presented as high-level simulation controls, they require the agent to have significant permissions over the local filesystem and version control system. - [PROMPT_INJECTION] (SAFE): No explicit prompt injection patterns, bypass markers, or role-play jailbreaks were detected in the skill instructions or metadata.
- [DATA_EXFILTRATION] (LOW): This skill exhibits an indirect prompt injection surface.
- Ingestion points: The skill reads simulation state from YAML files (e.g.,
ADVENTURE.yml,SIMULATION.yml) usingread_file. - Boundary markers: No specific delimiters or safety warnings for embedded instructions are defined in the schema.
- Capability inventory: The skill has
write_fileand Git push capabilities. - Sanitization: No evidence of sanitization for data read from the simulation state files before it is processed or used in logic.
Audit Metadata