learn
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it analyzes the entire conversation history to generate updates for other skills and configuration files. If the session history contains malicious instructions (e.g., from an external website or file processed earlier), the 'learn' skill might propose these as legitimate updates.
- Ingestion points: Current conversation history parsed in Step 1.
- Boundary markers: Absent; there are no instructions to disregard potentially malicious commands embedded in the history.
- Capability inventory: Ability to write and modify SKILL.md files, memory files, and CLAUDE.md as defined in Step 4.
- Sanitization: Absent, though the skill mandates a human-in-the-loop approval step before any modifications are committed (Step 2 and 4).
- [COMMAND_EXECUTION]: The skill possesses the capability to modify existing skill files, create new ones, and update the system configuration file (CLAUDE.md). This powerful capability allows for persistent changes to the agent's behavior across future sessions.
Audit Metadata