memorize
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from conversation history and external tool outputs to update persistent context.
- Ingestion points: Conversation history, reflection outputs from
/reflexion:reflect, and critique findings from/reflexion:critique(SKILL.md, Phase 1). - Boundary markers: The instructions lack explicit delimiters or markers to isolate the harvested data from the agent's logic during the extraction and curation phases.
- Capability inventory: The skill has the capability to modify the filesystem by writing to
CLAUDE.md(SKILL.md, Phase 3). - Sanitization: The skill implements manual sanitization rules, such as a prohibition on secrets, tokens, and PII, alongside 'Quality Gates' to review coherence and actionability. However, these checks are performed by the model itself rather than a hard boundary system.
Audit Metadata