persona-detection
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses an LLM to process untrusted data from the workspace, creating a risk of indirect prompt injection.\n
- Ingestion points: According to the 'LLM Detection Path' in SKILL.md, the skill gathers the directory tree, README, package.json, and copilot-instructions.md as context for the model.\n
- Boundary markers: The documentation does not indicate the use of delimiters or instructions to separate untrusted data from system prompts, which may allow content in project files to be interpreted as agent instructions.\n
- Capability inventory: The skill's logic includes updating user-profile.json and the Active Context section of copilot-instructions.md (SKILL.md), meaning an injection could influence these configurations.\n
- Sanitization: There is no evidence of sanitization or validation performed on the ingested file content before it is processed by the LLM.
Audit Metadata