cross-conversation-project-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Prompt Injection] (HIGH): The skill creates a persistent memory system that 'Auto-updates when project mentioned.' This establishes a vector for persistent indirect prompt injection; malicious instructions embedded in a conversation mention can be saved to the state file and subsequently influence the agent's behavior in future sessions when that project state is re-loaded.
- [Data Exposure & Exfiltration] (HIGH): By design, the skill maintains state across 'MULTIPLE conversations over days/weeks' using files in
/mnt/user-data/outputs/projects/. There are no authentication or authorization checks, meaning information from a private or sensitive conversation can be leaked into a different conversation simply by mentioning the project name. - [Indirect Prompt Injection] (HIGH):
- Ingestion points: Ingests untrusted data from the active conversation context whenever a 'project name' is mentioned (SKILL.md).
- Boundary markers: Absent. The skill lacks delimiters to separate project data from potential instructions.
- Capability inventory: Perform file read and write operations to
/mnt/user-data/to maintain state. - Sanitization: Absent. There is no validation or escaping of the content being written to the persistent project files.
Recommendations
- AI detected serious security threats
Audit Metadata