auto-project-runner
Warn
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill instructions explicitly bypass standard agent safety protocols by setting 'auto_accept_permissions: true' and instructing the model to 'minimize interruptions, explanations, and permission prompts.' This configuration disables the human-in-the-loop verification typically required for high-risk tool operations.
- [PROMPT_INJECTION]: The skill possesses a high vulnerability surface for Indirect Prompt Injection. It is designed to autonomously read and 'infer tasks' from various user-controlled files without sanitization or boundary markers. * Ingestion points: Reads memory and task definitions from 'MEMORY.md', 'CLAUDE.md', 'PROJECT_MEMO.md', 'TODO.md', 'tasks.md', and 'ROADMAP.md'. * Boundary markers: No explicit delimiters or instructions are provided to the agent to ignore or escape potential instructions contained within these ingested files. * Capability inventory: The skill utilizes the 'terminal', 'filesystem', 'code', and 'browser' tools, allowing for significant impact if malicious instructions are processed. * Sanitization: Lacks validation or filtering for ingested data before it is incorporated into the execution plan.
- [COMMAND_EXECUTION]: The skill automatically executes terminal commands (such as 'npm test' or 'npm run build') discovered within project metadata files. This behavior allows for the autonomous execution of arbitrary code if project configuration files are tampered with or contain malicious scripts.
Audit Metadata