recover
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It instructs the agent to read checkpoint files and immediately execute the 'pendingTodos' found within them using the TaskCreate tool. This allows any process or actor capable of writing to the plans/reports directory to influence the agent's subsequent behavior.
- Ingestion points: Reads JSON metadata block from memory-checkpoint-*.md files.
- Boundary markers: Absent. There are no instructions to differentiate between data and potentially malicious instructions within the checkpoint.
- Capability inventory: File system discovery (ls, find), file reading, and task generation (TaskCreate).
- Sanitization: Absent. The workflow explicitly mandates immediate execution of the extracted items.
- [COMMAND_EXECUTION]: The skill uses shell commands like ls, find, tail, and head to discover and sort checkpoint files in the local file system. This capability is used for legitimate discovery but interacts directly with the host environment.
Audit Metadata