reflect
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The Phase 4 contingency logic (fallback for when Serena is unavailable) uses a bash command
echo "$newLearnings" >> "$path"to save data. The variable$newLearningsis populated directly from the conversation history. An attacker can craft a 'correction' containing shell metacharacters (e.g., backticks or command substitution) to execute arbitrary code when the agent attempts to save the reflection. - [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection. It is designed to ingest untrusted user input from the conversation (corrections, praise, edge cases) and persist these as 'constraints' or 'preferences' in long-term memory files.
- Ingestion points: Reads the current conversation context, specifically focusing on user directives.
- Boundary markers: No boundary markers or 'ignore' instructions are used when writing to the memory files.
- Capability inventory: The skill has the ability to write to files and execute external python modules.
- Sanitization: There is no evidence of sanitization or validation of the extracted 'learnings' to prevent a malicious user from injecting permanent harmful instructions into the agent's core memory.
- [EXTERNAL_DOWNLOADS]: The Phase 4 enhancement references an external Python module
memory_enhancementthat is not part of the skill distribution. This introduces a dependency on an unverified external tool for citation management.
Recommendations
- AI detected serious security threats
Audit Metadata