loop
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses Bash commands (
mkdir,cat) within its startup flow to create and manage a local state file (.claude/pua-loop.local.md) used for tracking iterations. - [PROMPT_INJECTION]: The skill includes directives that override default agent behaviors, specifically prohibiting the agent from asking user questions (
禁止调用 AskUserQuestion) or admitting it cannot solve a task (禁止说"我无法解决"). These are intended to ensure autonomous operation for the duration of the loop. - [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface by interpolating user-provided task descriptions (
$ARGUMENTS) directly into a state file that the agent subsequently reads as instruction. - Ingestion points: The
$ARGUMENTSplaceholder in the Bash script withinSKILL.mdused to initialize the state file. - Boundary markers: Absent; user-provided descriptions are inserted directly into the markdown content without delimiters or instruction-ignore guards.
- Capability inventory: The skill has the capability to execute local commands (build/test) and access project files and git logs.
- Sanitization: Absent; there is no validation or filtering performed on the user-provided task description before it is written to the state file.
Audit Metadata