reflect
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- PROMPT_INJECTION (LOW): Indirect Prompt Injection Surface. The skill extracts 'learnings' from session transcripts and persists them in
CLAUDE.md, which is used to guide the agent in subsequent sessions. - Ingestion points: Session transcripts containing potentially untrusted data from tool outputs or external responses (identified in the 'Extraction Flow' section of SKILL.md).
- Boundary markers: Stored memories use standard Markdown headers and bullet points but lack explicit security delimiters or 'ignore embedded instruction' warnings to prevent stored data from being interpreted as commands.
- Capability inventory: The skill possesses the ability to modify
CLAUDE.md, a file that typically provides core instructions to the agent, effectively allowing stored content to alter the agent's future logic. - Sanitization: 'Quality Gates' are mentioned (e.g., must be a complete sentence, actionable), but these are semantic checks for utility rather than security sanitization against adversarial prompt injection.
- DATA_EXFILTRATION (LOW): Potential Sensitive Data Exposure. The automated process of summarizing transcripts into persistent markdown files risks inadvertently capturing sensitive information (such as API keys or PII) that appeared in the conversation. If
CLAUDE.mdis committed to a shared repository, this data becomes permanently exposed in version history.
Audit Metadata