iterating
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core workflow involves the agent reading and parsing 'Work Logs' from external sources to determine its next actions.
- Ingestion points: The agent is instructed to retrieve WorkLog data from various sources depending on the environment: local project files (
WorkLog.md), user-uploaded files in/mnt/user-data/uploads/, project knowledge files in/mnt/project/, and content pasted directly by users into the chat. - Boundary markers: The skill suggests using YAML frontmatter (e.g.,
version: v1,status: in_progress) to identify WorkLog content. While this provides a structured format, it does not include explicit instructions to ignore or sanitize embedded instructions within the log's body that might contradict system safety or the intended task. - Capability inventory: The skill explicitly directs the agent to 'Execute ONE HIGH priority item' parsed from the WorkLog. This grants significant influence to the content of the external file over the agent's immediate behavior. The agent also has capabilities for file reading, writing, and environment variable inspection to support the persistence workflow.
- Sanitization: There is no evidence of sanitization, validation, or escaping logic applied to the content of the WorkLog before the agent adopts its priorities as actionable instructions.
Audit Metadata