autoresearch

This module is a CI/evaluation code generator, not a self-contained malicious program. The main security concern is the high-privilege execution design: it generates an executable script that will run external build/test/lint commands, including a command derived from StackInfo (stack['build_cmd']). If detect_stack.py/StackInfo inputs are attacker-influenced, this provides a practical arbitrary command execution mechanism during evaluation. Separately, when EXA_API_KEY is set it performs a credentialed outbound request to api.exa.ai to enrich hints, which is a privacy/credential-handling risk but not direct evidence of data theft. Overall risk is moderate-to-high and depends strongly on trust boundaries around detect_stack.py and StackInfo, and on how run_command is implemented (not shown).