loki-mode
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (HIGH): The core functionality of the skill relies on executing the Claude CLI with the
--dangerously-skip-permissionsflag. This explicitly bypasses the AI's safety sandbox, allowing it to perform high-risk operations such as arbitrary command execution and filesystem modification without user confirmation. - REMOTE_CODE_EXECUTION (HIGH): The system dynamically generates and executes full-stack application code (Node.js, Express, SQLite). When combined with the autonomous execution mode, this allows for the creation and execution of potentially malicious code derived from untrusted input files.
- PROMPT_INJECTION (LOW): The skill is highly vulnerable to indirect prompt injection through its primary input mechanism.
- Ingestion points: Product Requirements Documents (PRD.md) are read from the filesystem and used to generate tasks (detected in
autonomy/run.sh). - Boundary markers: None identified; the agent treats the content of the PRD as authoritative instructions for code generation and system setup.
- Capability inventory: The agent has full shell access, network capabilities via
curl, and file read/write permissions across the entire host system. - Sanitization: No sanitization or validation of the PRD content is performed before the agent begins executing tasks based on it.
- EXTERNAL_DOWNLOADS (LOW): The skill scripts (
INSTALLATION.md,autonomy/run.sh) usecurlandwgetto download external skill components and dependencies from GitHub. While these point to the project's own repository, they constitute a supply chain risk if the repository is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata