learn
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to create persistent prompt injections. It saves 'lessons' to files like
docs/project-reference/lessons.mdand.claude/workflows/development-rules.md, which are then automatically injected into future user prompts and file editing sessions. - [COMMAND_EXECUTION]: The skill utilizes the
wc -ccommand to monitor file sizes for budget enforcement. More significantly, it facilitates the modification of executable logic within the project's environment. - [REMOTE_CODE_EXECUTION]: The skill encourages modifying and creating executable CommonJS scripts (
.cjsfiles) in the.claude/hooks/directory. Specifically, it can append 'System Lessons' to.claude/hooks/lib/prompt-injections.cjs, which serves as a high-visibility execution layer. This allows the AI to modify its own operational hooks and behavioral logic based on potentially untrusted input, creating a risk of persistent arbitrary code execution within the agent's runtime context. - [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface. It ingests data from conversation history or file content (via 'lessons') and interpolates this data into future system prompts.
- Ingestion points: User instructions containing keywords like 'remember this' or 'always do', and conversation context processed via the
/learncommand. - Boundary markers: None are specified for the formatted lessons in the markdown or script files to prevent them from being interpreted as instructions by the LLM.
- Capability inventory: Includes the ability to Read, Write, Edit, and Glob files, as well as execute shell commands like
wc. - Sanitization: Relies on manual AI 'skepticism' and 'Quality Gates' rather than programmatic escaping or validation.
Audit Metadata