reflect
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Prompt Injection] (MEDIUM): The skill is highly vulnerable to indirect prompt injection because its core function is to ingest untrusted conversation history and use it to rewrite skill instructions. An attacker can craft dialogue that the AI interprets as a 'successful pattern,' effectively poisoning the skill's logic for future sessions.\n
- Ingestion points: Conversation history (session logs processed in SKILL.md Step 1).\n
- Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands in the analyzed history.\n
- Capability inventory: Persistent file writing (Edit), modification of system settings (~/.claude/settings.json), and Git command execution.\n
- Sanitization: The skill validates YAML/Markdown syntax but lacks any semantic or security-based sanitization of the generated instructions.\n- [Command Execution] (LOW): The skill utilizes system-level commands specifically for version control (
git commit,git revert). While intended for safety (backups), this capability could be exploited if file paths or commit messages were influenced by malicious data during the 'Auto-fix' process.\n- [Data Exfiltration] (LOW): The skill reads sensitive local data including the agent's global settings (~/.claude/settings.json) and full conversation history. While no direct network exfiltration was found, the skill's 'Evolution' mechanism could potentially move sensitive data into more accessible or less protected skill files.
Audit Metadata