filesystem-context
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill introduces a surface for indirect prompt injection via 'Self-Modification' and 'Dynamic Skill Loading' patterns.
- Ingestion points: Untrusted data from sources like web searches or database queries are written to the filesystem in directories like
scratch/andmemory/as described in SKILL.md. - Boundary markers: No specific delimiters or boundary instructions are provided to isolate the ingested external data from the agent's core instructions or static context.
- Capability inventory: The system leverages file-system tools including
read_file,write_file,grep, andglobto manage and retrieve this persisted context. - Sanitization: While the documentation notes that 'self-modification requires careful guardrails', it provides no concrete sanitization or validation logic to prevent malicious content from being interpreted as instructions.
Audit Metadata