study-summary
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill presents a significant attack surface by processing untrusted data while possessing file-system write permissions. ● Ingestion points: The skill scans the 'current conversation' (SKILL.md Step 1), which is untrusted input. ● Boundary markers: Absent; there are no instructions to delimit the conversation data or ignore embedded commands. ● Capability inventory: The skill creates new files in the 'notes/' directory and appends data to 'notes/progress.md' (SKILL.md Step 4 & 5). ● Sanitization: Absent; the skill uses topics extracted directly from the conversation to construct file paths (e.g., 'notes/YYYY-MM-DD-.md'), making it susceptible to path traversal attacks if a topic name contains characters like '../'.
- [Data Exposure & Exfiltration] (LOW): The skill accesses the complete conversation history. While this is necessary for the stated functionality, it exposes all sensitive information shared during the session to the processing logic and eventual file storage.
Recommendations
- AI detected serious security threats
Audit Metadata