meta
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill instructs the agent to use system commands like
grepto search through log files (atris/logs/**/*.md). It also mentions file system operations such as creating symlinks in.claude/skills/. - [DATA_EXFILTRATION] (LOW): This finding relates to internal data exposure. The skill directs the agent to read and process potentially sensitive internal project data, including
atris/MAP.mdand the entire log history. If logs contain credentials or private data, the agent is being trained to expose this context. - [PROMPT_INJECTION] (MEDIUM): The skill is susceptible to Indirect Prompt Injection (Category 8). It relies on reading untrusted external data sources—specifically the
atris/logs/directory andLESSONS.md. These files may contain data from previous interactions that could include malicious instructions aimed at subverting the agent's logic during its 'Orient' phase. * Ingestion points:atris/logs/**/*.md,atris/policies/LESSONS.md. * Boundary markers: Absent. There are no instructions to ignore or delimit embedded instructions within the logs. * Capability inventory: Execution ofgrep, writing toLESSONS.md, and the ability to load/route to other specialized skills. * Sanitization: Absent. Content from logs is processed directly without filtering.
Audit Metadata