lisa-learn
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes several shell commands using the
gitCLI to inspect project status and retrieve file contents (git -C <project-path> diff,git -C <project-path> status,git -C <project-path> show). - [REMOTE_CODE_EXECUTION]: In Step 6, the skill executes lifecycle scripts (
typecheck,lint,test) defined in the target project using the detected package manager (bun,pnpm,yarn, ornpm). If the target project's configuration is malicious, this results in arbitrary code execution within the agent's environment. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8). It ingests untrusted data from an external project directory to perform analysis and decision-making.
- Ingestion points: The skill reads
git diffoutput and raw file contents from a user-provided project path inSKILL.md(Step 3, 4, and 8). - Boundary markers: No explicit boundary markers or 'ignore' instructions are used when processing the diff or file content.
- Capability inventory: The agent has the capability to execute shell commands (via
gitand package managers) and write to the local filesystem (modifying Lisa templates via the Write tool). - Sanitization: There is no evidence of sanitization or validation of the content retrieved from the target project before it is written back to the Lisa templates.
Audit Metadata