inject
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
aoCLI tool and standard bash utilities (sed,ls,mkdir,date) to search knowledge pools and record citations in.agents/ao/citations.jsonl. - [DATA_EXPOSURE]: The skill accesses files in the user's home directory, specifically
~/.agents/MEMORY.mdand~/.claude/patterns/. This allows it to retrieve context and patterns accumulated across different projects and sessions. - [INDIRECT_PROMPT_INJECTION]: This skill presents a surface for indirect prompt injection as it retrieves content from external files and injects it into the agent's context.
- Ingestion points: Content is read from
.agents/learnings/,.agents/patterns/,.agents/research/, and global memory files in the user's home directory. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands within the retrieved artifacts are specified in the injection logic.
- Capability inventory: The skill utilizes shell command execution and filesystem access to manage and retrieve context.
- Sanitization: There is no mentioned validation or sanitization of the content within the knowledge artifacts before they are injected into the session.
Audit Metadata