compound-engineering-3
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill uses npx to download and execute the compound-engineering package from the npm registry, which runs unverified code on the host system.
- [EXTERNAL_DOWNLOADS]: npx compound-engineering triggers the download of external code from the npm registry during the quick start and automated review processes.
- [COMMAND_EXECUTION]: Instructions provide specific commands to modify system crontabs and create macOS launchd configuration files, establishing persistence and background execution for recurring tasks.
- [PROMPT_INJECTION]: The core loop constitutes an indirect prompt injection surface. It instructs the agent to review untrusted session history and update instruction files like AGENTS.md. 1) Ingestion points: Reads all session logs from the last 24 hours. 2) Boundary markers: No delimiters are used to separate untrusted data. 3) Capability inventory: Modifies instruction files and performs shell/git operations. 4) Sanitization: No sanitization is performed on extracted content.
- [DATA_EXFILTRATION]: Automated git commit and push operations are used to synchronize memory files. This poses a risk of exfiltrating sensitive information if the agent extracts credentials or private data from sessions into these files.
Audit Metadata