learned-patterns
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): This skill defines a 'Pattern Lifecycle' where instructions are 'learned' from user corrections/files and later 'injected' into the agent's session context.
- Ingestion points: The skill ingests data from 'User correction detected' in prompts and 'relevant patterns' found in project files during 'INJECTION'.
- Boundary markers: There are no boundary markers or sanitization logic mentioned to prevent the agent from obeying instructions embedded within the
content.rightorcontent.wrongfields of the pattern schema. - Capability inventory: The skill allows
Bash,Write, andEdittools. A malicious pattern could instruct the agent to use these tools to exfiltrate data or modify the system. - Sanitization: No sanitization of the 'learned' content is described before it is re-injected into the prompt.
- Command Injection (HIGH): Several actions execute shell commands via
nodeusing user-provided inputs like<pattern-id>and[reason](e.g.,node .claude/skills/learned-patterns/scripts/archive-pattern.cjs <pattern-id> [reason]). If these arguments are not strictly validated, an attacker could supply shell metacharacters to execute arbitrary commands. - Persistence (HIGH): The skill intentionally creates a persistence mechanism by storing 'learned patterns' in the
.claude/learned-patterns/directory. This allows an attacker to 'poison' the agent's long-term memory with malicious instructions that persist across different projects or sessions. - Dynamic Execution (MEDIUM): The skill relies on executing
.cjsscripts located within the skill's directory. While these are local, the reliance onnodeto process potentially attacker-influenced data from theindex.yamlor individual pattern files increases the risk of runtime exploitation.
Recommendations
- AI detected serious security threats
Audit Metadata