ghidra-headless-auto-evolution
Warn
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is authorized to "directly create or update" executable and configuration files, including skill files, reusable scripts, and new child-skill entry points within the
.agents/skills/directory. This grants the agent the ability to persistently modify its own behavioral instructions and toolset based on its execution history. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface while processing and generalizing previous task artifacts.
- Ingestion points: Artifacts, notes, scripts, and evidence records from completed tasks, as specified in the "Required Inputs" section of SKILL.md.
- Boundary markers: The skill includes checkpoints for task context and benefit statements but lacks explicit delimiters or "ignore previous instructions" warnings when processing the untrusted content from reviewed artifacts.
- Capability inventory: The agent has the authority to write to the
.agents/skills/directory, affecting its own system instructions and logic for future sessions. - Sanitization: No explicit sanitization, validation, or escaping protocols are defined for the content extracted from artifacts before it is written into permanent tracked assets.
Audit Metadata