extract
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes session transcripts and 'forge' candidates which are derived from untrusted session data.
- Ingestion points: Processes data from .agents/ao/pending.jsonl and .agents/forge/*.md as shown in SKILL.md.
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands within the ingested session content were identified.
- Capability inventory: The skill executes local shell commands (ao CLI, cat, ls) and writes learning files to the .agents/learnings/ directory.
- Sanitization: No evidence of sanitization or filtering of the ingested content before it is presented to the agent for extraction.
- [COMMAND_EXECUTION]: The skill performs several local command executions for session data processing and validation. The skill executes the 'ao' CLI tool for extraction and queue management tasks. The scripts/validate.sh uses bash -c to execute validation checks, which is a dynamic execution pattern.
Audit Metadata