project-ai-mistakes
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves rules and historical context from a file (specs/7_AI错题本.md) that is updated based on runtime interactions. Maliciously crafted input could lead to the recording of 'rules' that alter the agent's intended behavior in future sessions.
- Ingestion points: The agent reads content from
specs/7_AI错题本.mdduring the retrieval and pre-warning (事前预警) phases. - Boundary markers: Absent; the template provides structure but does not include explicit instructions to ignore potentially malicious instructions within the logged entries.
- Capability inventory: Includes file reading (via retrieval logic and the recommended use of
cat) and file writing (saving the confirmed log tospecs/7_AI错题本.md). - Sanitization: Absent; the skill does not specify any validation, escaping, or filtering of the error descriptions or 'core lessons' before they are saved or processed as rules.
- Remediation: Wrap retrieved content in clear delimiters with a system instruction to ignore any embedded directives. Use structured data formats with strict validation for rules, and ensure human review of the 'Core Principles' section before it is used as authoritative guidance.
Audit Metadata