compound-knowledge
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill creates a repository-based feedback loop where user-provided content is stored and later used as searchable context for the agent. \n
- Ingestion points: User descriptions of bug fixes, patterns, and decisions enter the system via files in the
./knowledge/directory. \n - Boundary markers: The provided markdown templates do not include delimiters or warnings to separate data from instructions. \n
- Capability inventory: The skill includes file writing and explicitly directs the agent to propose modifications to core instruction files like
AGENTS.md. \n - Sanitization: There is no mechanism to sanitize or validate the content provided by the user before it is committed to the codebase. \n- [COMMAND_EXECUTION] (LOW): The skill uses a shell command template (
cp) involving a user-influenced 'slug' variable. If an agent does not properly validate this string, it could be exploited for command injection.
Audit Metadata