scratch-pad
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill relies on an internal script
scripts/scratch_pad.pyto perform all operations. This script is not provided in the skill package, making it an unverifiable dependency. There is a risk of command injection or path traversal if the script does not properly sanitize the--fileargument or the content strings passed via the CLI. - [PROMPT_INJECTION] (MEDIUM): The skill facilitates Indirect Prompt Injection (Category 8). It is designed to aggregate and store untrusted data from external sources (e.g., web searches, documentation) into a scratchpad, which the agent later reads to formulate responses.
- Ingestion points: Content passed to the
append,finding, andlog-toolsubcommands ofscripts/scratch_pad.py(found inSKILL.md). - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when writing to or reading from the scratchpad.
- Capability inventory: The system allows writing to the local filesystem and reading back content to influence agent reasoning.
- Sanitization: There is no evidence of sanitization or filtering of the external content before it is stored and subsequently processed by the LLM.
Audit Metadata