mentor-guided-learning
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill's core logic involves reading and obeying 'Runtime Rules' from the project-root
AGENTS.md. By instructing the agent to 'Read project-root AGENTS.md as the primary runtime rule,' the skill creates a direct path for untrusted data to override the agent's safety constraints and intended behavior. - [COMMAND_EXECUTION] (HIGH): The skill explicitly grants the agent authority to write non-critical boilerplate, fully implement critical logic, and provide CLI commands for execution (via
assets/AGENTS-template.md). When these capabilities are combined with the instruction-following behavior fromAGENTS.md, an attacker can gain arbitrary code execution on the user's system by poisoning the markdown file. - [INDIRECT_PROMPT_INJECTION] (HIGH): Vulnerability surface identified with a high-privilege capability set.
- Ingestion points: The agent reads
AGENTS.md,.LEARNING/learner-profile.md, and.LEARNING/mastery-map.mdat every conversation turn. - Boundary markers: The skill uses
<!-- mentor-guided-learning:begin -->markers to delimit rules, but it does not instruct the agent to ignore malicious instructions embedded within those markers. - Capability inventory: The agent is authorized to write/edit files, generate code, and provide system commands (CLI) for the user to run (or for the agent to execute if equipped with a terminal tool).
- Sanitization: There is no evidence of sanitization or safety-filtering of the content read from the project files before it is used to influence the agent's decision-making process.
Recommendations
- AI detected serious security threats
Audit Metadata