update-context
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- Prompt Injection (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). Malicious instructions provided by a user (or via external data discussed in a conversation) could be identified as 'learnings' and persisted into core context files like
CLAUDE.md. Because these files are often used as system instructions in subsequent sessions, this allows for persistent behavioral poisoning. - Ingestion points: The entire conversation history (SKILL.md).
- Boundary markers: Absent; there are no specified delimiters to separate extracted user input from system-level instructions during the update process.
- Capability inventory: File system write access to project root files (SKILL.md).
- Sanitization: Absent; the skill relies on the LLM's judgment during the 'Review' and 'Determine Updates' phases without programmatic validation.
- Data Exposure & Exfiltration (SAFE): While the skill reads and writes local configuration files, it contains no code to perform network operations or transmit data externally. The documentation also explicitly warns against persisting sensitive information.
- No Code (SAFE): The skill contains only natural language instructions and no executable scripts or package dependencies, which limits its direct exploitability.
Audit Metadata