learn
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Persistence Mechanisms] (MEDIUM): The skill is designed to maintain state across sessions by writing patterns to
.claude/learned-patterns/. While this is the primary feature, it establishes a permanent persistence mechanism for instructions that can influence agent behavior indefinitely. Per policy, the severity is reduced from HIGH to MEDIUM as this is the core utility of the skill. - [Indirect Prompt Injection] (LOW): The skill exhibits a significant attack surface for indirect prompt injection.
- Ingestion points: User input via the
/learncommand and natural language triggers like 'remember this' (File: SKILL.md). - Boundary markers: None identified; instructions are saved and re-injected without explicit delimiters or warnings to ignore embedded instructions in the stored YAML files.
- Capability inventory: The skill is granted access to
Read,Write,Edit, andBashtools (File: SKILL.md). - Sanitization: No sanitization or validation of the 'learned' content is described before it is stored or re-injected into the prompt context.
- [Command Execution] (LOW): The skill requests access to the
Bashtool. The risk is compounded by the persistence mechanism, as a maliciously 'learned' pattern could instruct the agent to execute dangerous shell commands in a future session where the user might not be expecting automated command execution.
Audit Metadata