context-snapshot
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill captures untrusted conversation data and prepares it as a set of instructions for future agents, creating a persistent injection chain.
- Ingestion points: Processes the entire active conversation to map goals, decisions, and constraints (SKILL.md, Step 2).
- Boundary markers: None. While it uses a structured Markdown template, it does not use delimiters or instructions to ignore embedded commands within the captured sections.
- Capability inventory: Possesses file-writing capabilities to any user-specified path (SKILL.md, Step 5).
- Sanitization: None. The skill is explicitly told to 'Capture exact wording' and 'Preserve exact phrasing' (SKILL.md, Step 2 & Critical Rules), ensuring malicious payloads remain intact.
- Downstream impact: The 'Handoff Prompt for Next Agent' in
context-template.mdcreates a high-trust context by instructing the next agent to 'Treat "Fact" as authoritative,' potentially bypassing the next agent's safety filters if the 'Fact' contains an injection. - [Command Execution] (MEDIUM): The skill allows for unvalidated file system writes via user-provided paths.
- Evidence: 'If the user provides a path, use it... Create the parent directory if it does not exist' (SKILL.md, Step 1).
- Risk: An attacker could provide a path to a sensitive configuration file (e.g.,
~/.bashrcor~/.ssh/authorized_keys). If the agent environment lacks path sandboxing, the handoff content (which includes user-influenced 'Facts') could be written to these files to achieve persistence or execution.
Recommendations
- AI detected serious security threats
Audit Metadata