english-learner
Warn
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an 'Auto-Intercept' mode that instructs the agent to monitor and analyze every English message sent by the user. By using directives like 'PROACTIVE', 'trigger: always', and 'MANDATORY', the skill attempts to override the agent's standard conversational flow and prioritize its own logic without explicit user invocation.
- [PROMPT_INJECTION]: The skill metadata contains instructions ('If the agent's description mentions...') that attempt to influence how the agent interprets its own system description to ensure the skill is used proactively, even if not explicitly requested.
- [COMMAND_EXECUTION]: The instructions direct the agent to pass raw user input as command-line arguments to Node.js scripts (e.g.,
node sentence_parser.cjs classify <text>). This pattern is vulnerable to command injection if a user's message contains shell metacharacters like;,|, or`, which could lead to arbitrary code execution on the host system. - [DATA_EXFILTRATION]: The skill automatically logs every English user query and its timestamp to a local file at
~/.english-learner/history/. Because the skill is instructed to run on every English message, this results in the persistent collection of the user's conversation history. - [DATA_EXFILTRATION]: The 'Auto-Intercept' feature interpolates raw user input into a Markdown table ('Teaching Moment') without sanitization or boundary markers. This creates a surface for indirect prompt injection where malicious content in the user's message could disrupt the agent's output format or influence subsequent logic.
Audit Metadata