self-heal
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it analyzes untrusted user session data (friction signals) to diagnose instruction failures and propose updates to its own or other skills' permanent instruction files (SKILL.md). \n
- Ingestion points: User interaction history is parsed by the root-cause-analyst agent as described in references/diagnosis-protocol.md. \n
- Boundary markers: The system lacks explicit delimiters or instructions to treat user session data as untrusted within the diagnostic prompts. \n
- Capability inventory: The skill is granted Write and Edit tools to modify markdown files on the filesystem. \n
- Sanitization: Relies on a patch-reviewer agent and mandatory user confirmation of a visible before/after diff before applying changes.
Audit Metadata