context-compactor
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill processes untrusted message context through summarization and extraction logic, which can be a surface for indirect prompt injection. \n
- Ingestion points: Untrusted data enters the agent context through the
compactmethod inscripts/compactor.pyand various summarization functions inscripts/summarizer.py. \n - Boundary markers: Compaction results are identified by a
[SUMMARIZED CONTEXT]header, but individual summarized data points lack isolation markers to prevent instruction following. \n - Capability inventory: No dangerous system-level capabilities (e.g., shell execution, network requests, or file writing) were identified within the provided scripts. \n
- Sanitization: No explicit sanitization or filtering is performed on the content before summarization. The extraction logic in
scripts/importance_scorer.pyspecifically searches for decision-related keywords, which an attacker could use to ensure their malicious instructions are preserved and prioritized.
Audit Metadata