self-improve
Warn
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill's orchestrator and the specialized 'executor' agent autonomously run shell commands, including complex git operations (worktree management, merges, branches) and a user-defined 'benchmark_command'. Once the initial setup phase is confirmed, the loop runs without further user confirmation, creating a risk if the benchmark script or generated code performs destructive actions.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. The 'researcher' agent ingests untrusted data from the target repository, such as README files, source code, and configuration files, to generate hypotheses. Malicious instructions embedded in these files could influence the planner and executor agents to perform unauthorized tasks.
- Ingestion points: target repository source files, README, tests, and configs read by 'si-researcher.md'.
- Boundary markers: Absent; there are no specific delimiters to separate untrusted repository content from the agent's internal instructions.
- Capability inventory: The orchestrator performs file system writes via git, and the executor runs arbitrary shell commands defined in the benchmark settings.
- Sanitization: Absent; the skill does not implement filtering or validation of the data read from the repository before passing it to subsequent agents.
- [DATA_EXFILTRATION]: The system includes features for automated git pushes (
auto_push) and Pull Request creation (auto_pr). If the agent is compromised via indirect prompt injection, these capabilities could be misused to exfiltrate sensitive files or credentials from the local environment to an external repository.
Audit Metadata