learning-patterns
Warn
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data from the conversation history to influence agent behavior.
- Ingestion points: Phase 2 ('Extract Learnings') analyzes the conversation history for signals to update configurations (SKILL.md).
- Boundary markers: No explicit delimiters or instructions are used to ignore malicious commands embedded within the processed conversation data.
- Capability inventory: The skill utilizes 'Write' and 'Edit' tools to modify project configuration files and generates new executable artifacts such as commands and skills in Phase 8.
- Sanitization: No sanitization or validation of the extracted 'learnings' is performed beyond simple confidence heuristics.
- [COMMAND_EXECUTION]: The skill dynamically generates and updates executable files including commands ('.claude/commands/.md'), agent skills ('.claude/skills//SKILL.md'), and event-driven hooks ('.claude/settings.json'). These generated artifacts can contain arbitrary shell commands or tool invocations that persist in the project environment.
- [COMMAND_EXECUTION]: The generated hooks in 'settings.json' can execute arbitrary commands automatically upon tool usage (e.g., 'PostToolUse'), creating a persistence mechanism for commands derived from potentially untrusted conversation content.
Audit Metadata