brain-commit
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by design, as it extracts and elevates 'principles' from untrusted conversation history into permanent system rules.
- Ingestion points: Reads current conversation history and the last 15 session logs stored in
~/.brain/logs/(File: SKILL.md). - Boundary markers: There are no explicit delimiters or instructions to ignore embedded instructions when reading or analyzing these logs.
- Capability inventory: The skill has file-write access to
rules.mdandvalues.md, which are used to define the agent's future behavior. - Sanitization: No sanitization, validation, or filtering of the extracted 'patterns' is performed before they are presented to the user for adoption.
- [SAFE]: The skill performs no network operations and does not interact with external domains or non-whitelisted sources.
- [SAFE]: No use of shell commands, subprocess spawning, or dynamic code execution (eval/exec) was detected. All file operations are directed at specific, non-sensitive paths within the user's home directory.
Audit Metadata