ceo-personal-os
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): The skill is vulnerable to indirect prompt injection through its automated processing of user-supplied external data.
- Ingestion points: The 'Memory & Pattern Extraction' section explicitly directs the agent to read and process files uploaded by the user to the
uploads/directory. - Boundary markers: The skill fails to define delimiters or instructions for the agent to ignore potentially malicious embedded commands within the uploaded reviews or documents.
- Capability inventory: The agent possesses file system write capabilities (via
TodoWriteand direct file creation instructions) and the ability to append extracted data tomemory.md, which could lead to persistent context corruption or the execution of instructions hidden in uploaded files during the 'summarization' and 'pattern extraction' phases. - Sanitization: There is no evidence of content validation or sanitization before the agent incorporates external text into its long-term state (
memory.md).
Audit Metadata