knowledge-ops
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill establishes an indirect prompt injection surface (Category 8) by design.
- Ingestion points: The workflow ingests external documents, browser bookmarks, and conversation exports into structured storage layers (File: SKILL.md).
- Boundary markers: No specific XML delimiters or instruction-ignore markers are specified for the ingested content to prevent the agent from obeying embedded instructions.
- Capability inventory: The skill uses MCP tools (create_entities, search_nodes), Git commit/push operations, and external database writes to manage data.
- Sanitization: Instructions include redacting credentials like API keys, but there is no mention of sanitizing or escaping natural language instructions contained within external data sources.
- [DATA_EXFILTRATION]: The skill automates the transfer of local data to external services including GitHub repositories, Linear projects, and Supabase databases.
- [DATA_EXFILTRATION]: Accesses the agent's internal application state and project-specific memory files located at
~/.claude/projects/*/memory/.
Audit Metadata