brainerd
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes session history and conversation data, which provides an entry point for indirect prompt injection.
- Ingestion points: Ingests the current conversation context (references/reflect.md) and older repository-scoped session history from harness logs or exports (references/ruminate.md).
- Boundary markers: Absent. The instructions do not define technical delimiters or specific exclusion tags for the ingested session data.
- Capability inventory: The skill allows writing to the repository filesystem to create or update files within the 'brain/' directory and modify 'AGENTS.md' (SKILL.md, references/reflect.md, references/ruminate.md).
- Sanitization: Instructions mandate that the agent 'distills' learnings into its own prose rather than quoting directly, and explicitly forbids the storage of secrets, credentials, or raw transcript excerpts (references/guardrails.md).
- [SAFE]: The skill is entirely instruction-based and does not include any executable scripts, binaries, or remote code download patterns.
- [SAFE]: Modifications are strictly confined to the 'brain/' directory and 'AGENTS.md', with explicit instructions to avoid touching code, configuration, or tests.
Audit Metadata