session-reflect
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by extracting 'Behavior Calibration' and 'Cognitive Protection' instructions from untrusted session history and persisting them in a shared configuration file.\n
- Ingestion points: Extracts preferences and cognitive patterns from the current session interaction history (referenced in SKILL.md).\n
- Boundary markers: No delimiters or 'ignore' instructions are used when interpolating extracted session data into the context.md file.\n
- Capability inventory: The skill has file-write access to ~/.agents/context.md and executes a local bash script (SKILL.md).\n
- Sanitization: No evidence of sanitization or validation of the extracted session content before it is written to the persistent profile.\n- [COMMAND_EXECUTION]: The skill executes a local shell script scripts/setup.sh during the initialization phase to set up directories and symlinks.\n- [SAFE]: The creation of symlinks to configuration files like ~/.claude/CLAUDE.md, ~/.codex/AGENTS.md, and ~/.gemini/GEMINI.md is an intended feature for cross-tool persona synchronization and does not involve privilege escalation or external network operations.
Audit Metadata