lessons
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill templates include 'chmod +x' to create executable git hooks for automation. This is a legitimate development pattern but grants the agent the capability to create persistent executable scripts on the host.
- PROMPT_INJECTION (LOW): The skill creates a surface for indirect prompt injection by reading content from '
/.claude/lessons.md' and interpolating it directly into prompts for the 'gemini' CLI without sanitization or boundary markers. 1. Ingestion points: File content from '/.claude/lessons.md' is ingested via 'tail' and 'cat' commands. 2. Boundary markers: Absent; the file content is concatenated directly into the shell command strings used as LLM prompts. 3. Capability inventory: The skill utilizes file writing, permission modification (chmod), and external tool execution (gemini CLI). 4. Sanitization: Absent; there is no logic to escape or validate the contents of the lessons file before it is processed by the LLM.
Audit Metadata