capture-learning
Pass
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands like
lsandfindto discover and verify the existence of documentation files within the project's directory structure (e.g.,.claude/CLAUDE.md). These operations are used for legitimate file management and discovery. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by converting untrusted conversation history into permanent project instruction files or global skill definitions. If malicious instructions are captured as 'learnings', they could influence the agent's behavior in subsequent sessions when these files are read as context.
- Ingestion points: Data is extracted from the recent conversation context, which includes potentially untrusted user input and tool outputs.
- Boundary markers: The skill formats learnings using specific Markdown headers (e.g., Problem, Cause, Solution) but does not append explicit delimiters to the final document to prevent instruction interpretation by the LLM in future contexts.
- Capability inventory: The skill has the capability to read project files, list directories, and write or append to markdown documentation files throughout the project and agent configuration directories.
- Sanitization: Includes a mandatory confirmation step where the user must review the proposed content and diff before any write operation is performed. It also specifically directs the agent to ignore and omit any sensitive information like credentials or private URLs.
Audit Metadata