save-playbook
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by design, as it parses untrusted conversation history to generate instructions for future agent tasks.
- Ingestion points: Analyzes the current conversation history (Step 1) to extract steps and patterns.
- Boundary markers: The skill does not define strict boundary markers or sanitization logic to prevent malicious instructions embedded in the conversation from being included in the generated playbook.
- Capability inventory: The skill uses
BashandWriteto create and store the resulting playbooks. - Sanitization: There is no explicit sanitization of the extracted content beyond filtering for the 'successful path'.
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to perform filesystem operations. - Evidence: Step 10 executes
mkdir -pandcatto create and verify the new playbook files in.claude/skills/or~/.claude/skills/. - [DATA_EXPOSURE]: The skill processes the entire conversation history, which may contain sensitive data disclosed during the workflow.
- Evidence: Step 1 explicitly reviews goals, read/written files, and API calls from the history to construct the playbook.
Audit Metadata