context-saver
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill creates a significant attack surface by ingesting untrusted data from the conversation history and tool outputs.
- Ingestion points: Processes the entire conversation history, including tool outputs (Step 2) and user messages (Step 5).
- Boundary markers: Absent. The instructions do not define delimiters or warnings to ignore instructions embedded in the data being summarized.
- Capability inventory: File system write access (
docs/context/or project root) via the agent's file-writing tools. - Sanitization: Absent. The skill explicitly instructs the agent to 'Preserve: User-stated requirements verbatim' and capture 'Essential code excerpt', which can be used to inject malicious commands or misleading instructions into the persistent state file.
- Data Exposure (MEDIUM): The skill identifies 'Signal Extraction Priority' which includes active code focus and user requirements.
- Evidence: Steps 2 and 5 instructions.
- Risk: If a user accidentally pastes an API key, session token, or sensitive configuration during a session, this skill is designed to 'extract signal' and save it into a plaintext Markdown file (
CONTEXT-{topic}.md) on disk, increasing the risk of credential theft if the file system is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata