improve-instructions
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted conversation history to modify persistent instruction files.
- Ingestion points: The skill analyzes the current conversation history (Phase 1) to identify recurring patterns, corrections, and preferences.
- Boundary markers: There are no specified delimiters or instructions to ignore potential adversarial commands embedded within the conversation history.
- Capability inventory: The skill possesses the capability to modify files via an
Edittool, specifically targeting global (~/.claude/CLAUDE.md) and project-level (CLAUDE.md) configuration files (Phase 4). - Sanitization: No sanitization or filtering logic is described for the text extracted from the conversation history before it is proposed as an instruction update.
- Mitigation: The risk is significantly reduced by the inclusion of a human-in-the-loop (HITL) step (Phase 3) where improvements must be approved via
AskUserQuestionbefore implementation.
Audit Metadata