agent-native-architecture
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill uses structured XML-like tags (e.g., , , <core_principles>) to guide the agent's behavior and response logic when acting as an architectural consultant.
- [COMMAND_EXECUTION]: The documentation encourages the use of 'atomic primitives' such as bash and file system tools to achieve action parity with users, allowing the agent to execute shell commands and modify system files.
- [REMOTE_CODE_EXECUTION]: The skill describes advanced patterns for 'Self-Modification,' enabling agents to read, edit, and commit their own source code to Git repositories and trigger automated deployments.
- [DATA_EXFILTRATION]: Patterns such as the 'Shared Workspace' and 'Files as Universal Interface' recommend giving agents access to user data directories (e.g., iCloud Documents), which could be accessed or transmitted using the recommended network and shell tools.
- [PROMPT_INJECTION]: Indirect Prompt Injection Risk Assessment:
- Ingestion points: The architecture relies on agents reading user-controlled files (e.g., research notes, journals, context.md) as described in
references/files-universal-interface.mdandreferences/shared-workspace-architecture.md. - Boundary markers: The provided documentation focuses on architectural patterns and does not explicitly require or demonstrate the use of delimiters or 'ignore' instructions for untrusted data.
- Capability inventory: The skill advocates for tools like
bash,write_file,git_push, andfetchas part of a 'complete toolset' inreferences/self-modification.md. - Sanitization: There is no guidance provided for sanitizing or escaping user-controlled content before it is processed by the agent, creating a vulnerability to indirect injection.
Audit Metadata