remember-learnings
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (LOW): The skill is susceptible to indirect prompt injection because it processes untrusted conversation history and persists 'learnings' into the agent's permanent instruction files (
AGENTS.mdandrules/*.md). - Ingestion points: The skill explicitly instructs the agent to review the 'entire conversation history' in
SKILL.md. - Boundary markers: Absent. There are no instructions or delimiters provided to help the agent distinguish between legitimate session errors and adversarial attempts to inject malicious rules.
- Capability inventory: The skill can write to the local file system and execute
git addcommands. - Sanitization: None. The skill lacks any mechanism to validate or sanitize the 'learnings' before they are written to files.
- Autonomous Execution: The instruction 'Do NOT ask for user confirmation' removes the human-in-the-loop safety check, allowing potentially poisoned rules to be committed automatically.
- Command Execution (SAFE): The skill uses
git add AGENTS.md rules/. This command is restricted to specific, expected paths and does not utilize risky flags or dynamically generated arguments from untrusted sources.
Audit Metadata