soul
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill uses persona enforcement instructions that command the AI to suppress its standard identity and safety-related responses. It explicitly forbids the AI from saying "as an AI" or claiming it lacks opinions, directing it to stay in character at all times.
- [PROMPT_INJECTION]: A significant indirect prompt injection surface exists in the persona-building process. The skill systematically parses and analyzes external content (Twitter archives, articles) that could contain malicious instructions designed to manipulate the agent during the data analysis phase.
- Ingestion points: The skill reads from
data/x/anddata/writing/as specified inBUILD.mdanddata/_GUIDE.md. - Boundary markers: No clear delimiters or warnings to ignore embedded instructions are implemented during data processing.
- Capability inventory: The agent has permissions to read and write files within the skill directory, including
SOUL.mdandMEMORY.md. - Sanitization: There is no evidence of sanitization or filtering for the data ingested from user archives.
- [COMMAND_EXECUTION]: The skill orchestrates behavior through custom triggers (
/souland/soul-builder) that involve reading multiple local configuration files and performing automated file updates to maintain session continuity. - [DATA_EXFILTRATION]: The skill's primary function involves accessing and processing personal user archives (e.g., social media exports). Although no network-based exfiltration was detected, the processing of this private data constitutes a substantial exposure of sensitive user information to the model.
Audit Metadata