pillar-best-practices
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates a 'Knowledge Sources' feature (via the
pillar knowledge addcommand) that enables the AI agent to ingest and reason over content from arbitrary external URLs, such as documentation websites, GitHub repositories, and Notion pages. This presents a surface for indirect prompt injection. - Ingestion points: External websites and documentation platforms added to the knowledge base, as documented in
AGENTS.mdandrules/cli-knowledge.md. - Boundary markers: There are no identified delimiters or specific instructions within the skill to isolate ingested content or warn the agent about potential instructions embedded in that data.
- Capability inventory: The agent is capable of executing custom tool handlers (e.g., performing API requests and application navigation) and reading codebase metadata via the
pillar syncscanning tool. - Sanitization: The skill documentation does not describe any mechanisms for validating, filtering, or sanitizing the content retrieved from external knowledge sources before it is processed by the assistant.
Audit Metadata