skill-reinforcement
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Prompt Injection] (LOW): The skill provides a surface for Indirect Prompt Injection by persisting untrusted data into permanent instruction files.\n
- Ingestion points: SKILL.md triggers on command failures, tool outputs, and user-confirmed 'fixes' (Step 2 and Step 4).\n
- Boundary markers: Absent. The skill lacks delimiters or 'ignore embedded instructions' warnings when writing learned content to .opencode/skill/ files.\n
- Capability inventory: Access to 'cat' and 'Edit' tools to modify Markdown-based instruction sets across the skill directory.\n
- Sanitization: Absent. Instructions explicitly state to 'Include exact commands/patterns' from observed outcomes without validation.\n- [Dynamic Execution] (MEDIUM): The skill facilitates self-modifying agent behavior. By writing new instructions to SKILL.md files and then following them in subsequent sessions, the agent is dynamically modifying its own logic based on external runtime data. This requires human review to ensure that the feedback loop does not institutionalize harmful or bypass patterns.\n- [Command Execution] (LOW): Uses local shell commands like 'cat' to read skill definitions. While the commands are standard, their use within an automated self-update workflow increases the risk of persisting malicious logic.
Audit Metadata