meta-dialogue-v2
Fail
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: CRITICALPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection surface through persistent storage. The skill is designed to accumulate user context, behavioral patterns, and hypotheses in files like
_meta-profile.mdand session logs within the{프로젝트}/context/me/directory. This historical data is loaded in subsequent sessions as a primary context source, which could allow an attacker to embed instructions in dialogue that later manipulate the agent. \n - Ingestion points: The skill explicitly loads data from
context/me/meta-dialogue-sessions/_meta-profile.mdandcontext/me/about-me.md. \n - Boundary markers: There are no explicit delimiters or instructions to the model to treat the loaded historical content as potentially untrusted data. \n
- Capability inventory: The agent has permissions to read and write markdown files within the user's project directory. \n
- Sanitization: No input validation or sanitization is performed on the user dialogue before it is saved and subsequently re-processed.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata