advanced-elicitation
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The 'Memory Protocol' section in
SKILL.mdinstructs the agent to execute shell commands (e.g.,cat .claude/context/memory/learnings.md) to retrieve state before starting and to update these files after completion. This grants the agent specific file-system access patterns beyond simple tool use. - [PROMPT_INJECTION]: The skill's core functionality involves processing untrusted content through templates in
SKILL.md(e.g., First Principles, Socratic Questioning) using the{content}variable. This presents a surface for indirect prompt injection where malicious instructions within the content could subvert the reasoning process. 1. Ingestion points:{content}placeholder in multiple templates withinSKILL.md. 2. Boundary markers: Triple-dash delimiters (---) are used to wrap content. 3. Capability inventory: The skill has access toReadandWritetools and the ability to execute shell commands via the memory protocol. 4. Sanitization: There is no evidence of sanitization or specific instructions for the agent to ignore directives found within the processed content. - [PROMPT_INJECTION]: The file
commands/advanced-elicitation.mdcontains a forceful directive ('follow it exactly as presented to you') which is a pattern often associated with attempting to override previous instructions or system safety protocols.
Audit Metadata