lesson
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted conversation data to define future behavior. * Ingestion points: Reads 'recent conversation context' (SKILL.md). * Boundary markers: No delimiters or ignore instructions for user content. * Capability inventory: Updates SKILL.md, checklists, and long-term memory. * Sanitization: No validation of extracted content is performed.
- [PROMPT_INJECTION]: The rule to 'update those files too' (referring to SKILL.md) enables a persistence mechanism for malicious instructions successfully injected via user conversation.
Audit Metadata