reflect
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a workflow to scan conversation history and update 'brain' files or skill definitions. This represents an indirect prompt injection vulnerability because the agent may treat attacker-controlled conversation data as trusted instructions to be persisted.
- Ingestion points: Conversation history including 'Mistakes made and corrections received', 'User preferences', and 'Decisions made' (SKILL.md).
- Boundary markers: None. The instructions do not specify how to distinguish between legitimate learnings and malicious overrides injected by a user during the session.
- Capability inventory: File system write access to the 'brain/' directory and '.agents/skills/' directory; capability to 'encode' learnings as lint rules or scripts.
- Sanitization: No validation or sanitization process is defined for the extracted data before it is written to persistent storage or behavioral rules.
- [COMMAND_EXECUTION]: The skill processes 'structural enforcement' by creating lint rules, scripts, or runtime checks based on conversation content. If an attacker can influence the conversation to generate a malicious script, the agent may subsequently execute that code as part of its structural enforcement or runtime checks.
Audit Metadata