autopilot
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's Phase 3 (QA) and Phase 4 (Validation) involve running build, lint, and test commands. This entails the execution of code that may have been generated or modified during earlier phases. While this is the intended functionality of an autonomous developer agent, it provides a vector for code execution risks if the generated code or the underlying repository is malicious.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingest user-provided ideas and local context files to drive its autonomous workflow.
- Ingestion points: Processes brief product ideas directly from user prompts and loads existing context snapshots from
.omx/context/files. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present when processing the input idea or context snapshots.
- Capability inventory: The skill possesses the ability to execute MCP tools (
state_write,state_clear,state_read), discover new tools viaToolSearch, and run local shell commands for building and testing. - Sanitization: There is no evidence of input validation or sanitization for the user's description before it is expanded into technical specifications and plans.
Audit Metadata