brain-ops
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill implements logic for managing an internal knowledge base. While it ingests data from various external signals such as messages and emails, this behavior is central to its documented purpose and does not include malicious code, exfiltration patterns, or obfuscation.
- [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection as it processes untrusted data from messages and emails and writes it to a persistent knowledge base. Because this ingestion is the primary function of the skill, the severity is minimal.
- Ingestion points: Processes information from every message, meeting, email, conversation, and shared link as described in the READ → ENRICH → WRITE loop.
- Boundary markers: The instructions do not specify the use of delimiters or specific instructions to ignore embedded commands within ingested data.
- Capability inventory: Uses tools like
put_page,add_link, andadd_timeline_entryto modify the knowledge base, which then informs future agent responses. - Sanitization: There is no mention of sanitizing or validating external content before it is stored in the brain.
Audit Metadata