soul-self-evolution
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates the modification of the agent's core behavioral instructions (SOUL.md). If the 'observations' or 'changes' inputs are derived from untrusted user content, an attacker can indirectly influence the agent's future behavior, persona, or collaboration style to bypass constraints.\n- [COMMAND_EXECUTION]: The skill performs direct file system modifications on behavioral configuration files that define the agent's personality and safety guardrails. Modification of these files effectively changes the agent's operational logic.\n- [PROMPT_INJECTION]: Indirect Prompt Injection Surface Analysis:\n
- Ingestion points: The skill ingests untrusted data through the
observationsandchangesarguments in theproposeandapplyfunctions withinrun.py.\n - Boundary markers: There are no boundary markers or delimiters used to separate user-provided observations from the instructions being updated in the SOUL.md file.\n
- Capability inventory: The skill has the capability to write to the file system (
path.write_textinrun.py) to persist behavioral changes.\n - Sanitization: The skill includes a check for
immutable_sectionsinrun.py. However, this protection is insufficient as theimmutable_sectionslist can be redefined by the caller in theapplyfunction arguments, potentially allowing an attacker to bypass protections for critical sections like 'Safety Guardrails'.
Audit Metadata