self-improvement
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality of persisting external data for future agent use.
- Ingestion points: Data enters the system via
src/services/learning-service.jsandsrc/services/error-service.js, which capture user feedback and command outputs into markdown files in the.learnings/directory. - Boundary markers: Although the hook notifications use XML-style tags like
<error-detected>, the persisted markdown entries do not include delimiters or instructions to ignore embedded commands when they are re-injected into the session. - Capability inventory: The agent possesses file system capabilities, including creating new directories and files via
src/services/extraction-service.jsand its associated shell scripts. - Sanitization: The skill does not sanitize or escape external content before writing it to the local learning files, allowing potentially malicious instructions in error messages or user feedback to be persisted.
Audit Metadata