learn
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill reads and processes the '.superstack/learnings.md' file, creating a surface for indirect prompt injection if malicious instructions are appended to the learnings database.
- Ingestion points: '.superstack/learnings.md' (read by /learn, /learn search, /learn prune, /learn export, and /learn stats).
- Boundary markers: Absent; the file content is parsed and displayed without explicit isolation from system instructions.
- Capability inventory: Bash shell execution, file system modification, and network access (curl).
- Sanitization: Absent; the skill relies on manual user interaction via AskUserQuestion for updates but displays search results as-is.
- [DATA_EXFILTRATION]: Transmits telemetry data including skill usage events and platform architecture metadata to an external endpoint.
- Evidence: Bash scripts in the 'Preamble' and 'Telemetry' sections use 'curl' to POST data to a URL retrieved from 'config.json'.
- Context: This behavior is transparently handled via an opt-in prompt where the user must consent to anonymous usage tracking.
- [COMMAND_EXECUTION]: Uses local bash scripts for environment initialization, configuration parsing, and usage logging.
- Evidence: Scripts perform 'cat', 'grep', and 'sed' operations on configuration files in the user's home directory.
Audit Metadata