pensieve
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill incorporates persona injection in the generated _agent-prompt.md file, directing the agent to act as 'Linus Torvalds'. It also exhibits vulnerability to indirect prompt injection as it processes user-provided markdown files to guide its logic. Ingestion points: files in .claude/skills/pensieve/ (maxims, decisions, pipelines, knowledge); boundary markers: structural headers (e.g., ## Task Blueprint) and YAML frontmatter; capability inventory: bash/python execution, file system operations, and CLI commands; sanitization: regex-based structural parsing without explicit content filtering.
- [COMMAND_EXECUTION]: Automated workflows are orchestrated via bash scripts that execute python heredocs and CLI tools. The tools/loop/scripts/_lib.sh file includes a command execution utility with retry and timeout capabilities for running sub-processes.
- [EXTERNAL_DOWNLOADS]: The skill performs plugin updates from the vendor's repository ('kingkongshot/Pensieve') using the claude plugin marketplace command, which is an intended feature for maintaining tool integrity.
- [DATA_EXFILTRATION]: Health check and configuration tools access sensitive local files such as ~/.claude/settings.json and MEMORY.md. While these files are sensitive, the exposure is necessary for the skill's primary function of aligning project-level settings and agent guidance.
Audit Metadata