coach
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill defines a feedback loop that ingests untrusted data from tool execution outputs and user corrections to generate persistent agent instructions. 1. Ingestion points: Friction signals are captured from stderr patterns, user correction language, and session context into a local SQLite database. 2. Boundary markers: The system prompt does not define specific delimiters or instructions to ignore nested commands when processing these signals. 3. Capability inventory: The skill uses Bash with python3 and sqlite3 to process data and has Write permissions for CLAUDE.md to persist rules. 4. Sanitization: No explicit sanitization or filtering of captured signals is described. This risk is mitigated by the requirement for manual user approval before rules are applied.
- [COMMAND_EXECUTION]: The skill relies on executing a suite of local Python scripts (init_coach.py, detect_signals.py, etc.) and SQLite queries to manage the learning lifecycle. These tools are used for internal data aggregation and signal analysis within the skill's environment.
Audit Metadata