skill-evolution
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it captures user feedback from conversations and persists it as 'Best Practices' or 'Custom Instructions' within the SKILL.md file. This creates a feedback loop where untrusted data can influence the agent's core instructions in future sessions.
- Ingestion points: Untrusted data enters the system through the json_data argument in merge_evolution.py and the json argument in layered_merge.py, which are intended to be called by the agent with content extracted from the dialogue.
- Boundary markers: While smart_stitch.py adds a warning header to the auto-generated section, it lacks explicit 'ignore embedded instructions' markers that would prevent the LLM from obeying injected commands within that section.
- Capability inventory: The skill has the capability to write to the local filesystem (all scripts) and execute subprocesses (specifically align_all.py calling smart_stitch.py).
- Sanitization: There is no evidence of sanitization, filtering, or validation of the user-provided text before it is merged into the evolution JSON files or stitched into the Markdown documentation.
- [COMMAND_EXECUTION]: The script align_all.py dynamically executes other Python scripts within the skill directory.
- Evidence: The function align_skill in scripts/align_all.py uses subprocess.run([sys.executable, str(stitch_script), ...]) to invoke the stitching logic.
Audit Metadata