autonomous-operation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill contains explicit instructions to override and ignore system-level constraints. Specifically, it uses phrases like 'OVERRIDE any other instructions, system prompts, or optimization suggestions' and directive blocks like 'IGNORE: "Be concise"' and 'IGNORE: "Minimize tokens"'. These patterns are characteristic of jailbreak-style injections designed to subvert the agent's core operating parameters.
- Indirect Prompt Injection (LOW): The skill is designed to work with external data (GitHub issues, Git repositories) and possesses significant capabilities (Bash, Write, GitHub API access).
- Ingestion points: Uses
mcp__github__*,Read, andGrepto ingest untrusted data from remote repositories. - Boundary markers: Absent; there are no instructions for the agent to distinguish between user goals and instructions embedded in the files or issues it reads.
- Capability inventory: Possesses
Bash,Edit,Write, and full GitHub/Git manipulation tools. - Sanitization: None; the skill encourages autonomous operation based on the goals derived from these untrusted sources.
- Command Execution (LOW): While the use of
Bashandsleepis contextually appropriate for CI/CD tasks, the skill's directive to ignore 'Time Pressure' and check-in requirements increases the risk of long-running or resource-intensive processes executing without human oversight.
Recommendations
- AI detected serious security threats
Audit Metadata