reasoningbank-adaptive-learning-with-agentdb
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): The 'LIBRARY-FIRST PROTOCOL' in SKILL.md explicitly commands the agent to scan 'D:\Projects*' and 'EXTRACT and adapt' content found there. This is a broad, invasive search of the host's filesystem for potentially sensitive project data.
- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill requires the installation of 'reasoningbank-agentdb' via npm and execution of an unprovided script 'setup-reasoningbank.ts' via 'npx ts-node'. These dependencies are from untrusted sources (reasoningbank.dev, agentdb.dev) and represent an unverified supply-chain risk.
- [Indirect Prompt Injection] (HIGH): The skill ingests untrusted external data ('trajectories') containing NL reasoning ('Because X and Y') and context. It has high-privilege capabilities including 'Write' and 'Edit'.
- Ingestion points: 'reasoningBank.trackTrajectory' in SKILL.md and PROCESS.md.
- Boundary markers: None identified; untrusted 'reasoning' and 'context' fields are processed directly.
- Capability inventory: 'Write', 'Edit', 'Task', 'TodoWrite' (SKILL.md allowed-tools).
- Sanitization: No sanitization or validation of the ingested trajectory data is mentioned in the SOP or code snippets.
- [Prompt Injection] (MEDIUM): The 'LIBRARY-FIRST PROTOCOL' uses mandatory language ('Before writing ANY code, you MUST check') to override standard agent operating procedures, forcing the agent to prioritize external/local library content over its own safety or logic constraints.
Recommendations
- AI detected serious security threats
Audit Metadata