save-context
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requests and uses file system tools (Read, Write, Edit) to manage markdown files within the
.context/directory. This is intended functionality to store user preferences, project notes, and profile information. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it stores arbitrary user-provided text into files that are later re-ingested into the agent's context.
- Ingestion points: Content from the user conversation is saved to files in the
.context/directory, such asprofile.mdandcurrent-focus.md. - Boundary markers: The skill does not define specific delimiters or instructions for the agent to treat the stored data as untrusted or to ignore embedded instructions.
- Capability inventory: The agent possesses Read, Write, and Edit file system capabilities and can interact with Notion APIs.
- Sanitization: No sanitization, escaping, or validation of user-provided content is performed before writing to the context files.
- [DATA_EXFILTRATION]: The skill mentions integration with Notion for task tracking and research pipeline updates. Notion is a well-known service, and there is no evidence of data being sent to untrusted external domains.
Audit Metadata