cross-conversation-project-manager
Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill possesses a high-risk ingestion surface by monitoring multiple conversations for project mentions. Ingestion points: Monitors project mentions and content across multiple conversations (SKILL.md). Boundary markers: None identified to separate user data from instructions. Capability inventory: Performs file-write operations to
/mnt/user-data/outputs/projects/(SKILL.md). Sanitization: No escaping or validation of conversation content before persistence is mentioned. Malicious instructions embedded in a conversation could be persisted into project files, influencing future agent behavior when the state is re-loaded. - [Data Exposure & Exfiltration] (LOW): The skill targets a specific filesystem path (
/mnt/user-data/outputs/projects/) for persistent storage. While this is the stated purpose, it creates a repository of project-related data that could be sensitive. No network exfiltration patterns were detected.
Audit Metadata