Skills
skills/openclaw/skills/reflect/Gen Agent Trust Hub

reflect

Pass

Audited by Gen Agent Trust Hub on Feb 13, 2026

Risk Level: LOWNO_CODEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis

The reflect skill is well-documented and appears to be designed with security and robustness in mind. It focuses on enabling the AI to persist learnings in local MEMORY.md files.

Prompt Injection (INFO): The SKILL.md file contains extensive meta-instructions for Claude in the section "CRITICAL: Learning Extraction Rules." These instructions dictate how Claude should process conversation transcripts, extract learnings, validate them against a quality checklist, and reject low-quality or malicious inputs. While these instructions are defensive and aim to improve the AI's behavior and prevent the storage of harmful learnings, they represent a direct manipulation of the AI's internal reasoning process. This technically fits the definition of prompt injection as it overrides Claude's default learning behavior with specific rules, even if the intent is beneficial.

Data Exfiltration (NONE): No commands or patterns were found that attempt to exfiltrate sensitive user data or files to external, untrusted domains. The skill primarily reads and writes to local MEMORY.md files and configuration files within the user's environment (~/.claude/, .specweave/).

Obfuscation (NONE): No instances of Base64, zero-width characters, Unicode homoglyphs, or other obfuscation techniques were detected in the provided files.

Unverifiable Dependencies (LOW): The skill describes commands like specweave refresh-marketplace and specweave init --refresh, which imply downloading and merging content from a marketplace. The _meta.json file indicates that this skill itself originates from https://github.com/openclaw/skills/, which is the platform's own repository and thus considered a trusted source. Therefore, the reliance on external marketplace content is noted but downgraded to LOW severity due to the trusted source.

Privilege Escalation (NONE): No commands such as sudo, doas, chmod +x, chmod 777, or attempts to install services or modify system-critical files were found.

Persistence Mechanisms (INFO): The core function of this skill is to establish persistence for AI learnings by writing to MEMORY.md files in user-specific directories (~/.claude/plugins/..., .specweave/memory/). While this is a form of persistence, it is the intended and documented behavior for storing AI knowledge, not for malicious system access.

Metadata Poisoning (NONE): The name and description fields in SKILL.md and the _meta.json file are benign and accurately reflect the skill's purpose.

Indirect Prompt Injection (INFO): As a skill designed to process conversation transcripts and extract

Audit Metadata
Risk Level
LOW
Analyzed
Feb 13, 2026, 09:44 AM