secondbrain-note
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill ingests untrusted user input (Title, Content) and writes it to the filesystem without sanitization or boundary markers. \n
- Ingestion points: User-provided title and content in Step 1 of SKILL.md. \n
- Boundary markers: Absent; user content is directly interpolated into markdown and YAML templates. \n
- Capability inventory: File system write operations to 'docs/notes/' and '.claude/data/notes/records.yaml'. \n
- Sanitization: Absent; there is no evidence of input validation or escaping, which allows for the storage of malicious instructions that could be executed by an agent in a future session. \n- [Data Exposure & Exfiltration] (SAFE): The skill only interacts with local project paths for documentation and configuration. No network requests or access to sensitive environment variables or credentials were detected. \n- [Remote Code Execution] (SAFE): No external scripts are downloaded, and the skill does not use dynamic execution functions like eval() or exec().
Audit Metadata