note
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill takes arbitrary user input and writes it directly to a local file (
.research/logs/activity.md) that is explicitly intended to be read by other skills likewrap-up. A malicious user could provide a note containing instructions designed to hijack the agent's logic when it later processes the activity log. • Ingestion points: The text following the/notecommand or natural language equivalents. • Boundary markers: The input is formatted into a list with timestamps, but there are no protective delimiters or instructions to downstream processes to ignore embedded commands. • Capability inventory: The skill possesses file read/write capabilities for local project files. • Sanitization: The skill does not sanitize or escape the user-provided text, prioritizing speed and fidelity of capture over security.
Audit Metadata