pua-loop
Fail
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a bash script (
setup-pua-loop.sh) by passing unvalidated user input ($ARGUMENTS) directly into the shell command. This is a classic command injection vulnerability where an attacker can execute arbitrary code by including shell metacharacters in their request. - [PROMPT_INJECTION]: The instructions explicitly forbid the agent from using
AskUserQuestion. By disabling this tool, the skill removes the essential human-in-the-loop safety mechanism, forcing the agent to make autonomous decisions without user oversight or consent. - [PROMPT_INJECTION]: The skill contains 'never-say-no' instructions, specifically prohibiting the agent from stating 'I cannot solve'. This overrides the agent's internal safety and capability boundaries, compelling it to continue execution even when encountering significant errors or security constraints.
- [COMMAND_EXECUTION]: The skill performs automated file system modifications using
sed -ion configuration files located in the.claude/directory. This allows the skill to modify its own execution state and persistence settings without user awareness. - [REMOTE_CODE_EXECUTION]: The skill relies on an external, unverified script (
setup-pua-loop.sh) located in the plugin's root directory. The lack of integrity checks for this script, combined with its autonomous execution, represents a significant supply chain risk. - [DATA_EXFILTRATION]: While no direct network exfiltration was detected in the SKILL.md, the autonomous nature of the loop combined with command execution capabilities provides a high-leverage surface for reading sensitive local files and transmitting them during the iteration cycles.
Recommendations
- AI detected serious security threats
Audit Metadata