rules-capture
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Command Execution] (MEDIUM): The skill utilizes relative path traversal (../) to access and write to files in the .agents/SYSTEM/ directory. Writing to system-level folders outside the immediate workspace pose a risk of unauthorized modification of agent behavioral constraints and safety configuration.
- [Prompt Injection] (LOW): The skill provides a significant surface for indirect prompt injection by promoting untrusted user conversation text to long-term system rules. 1. Ingestion points: User statements detected via regex triggers in SKILL.md. 2. Boundary markers: Uses markdown blockquotes but lacks explicit logic to ignore embedded instructions. 3. Capability inventory: Appends and overwrites behavioral rule files. 4. Sanitization: None detected; no filtering of captured text for malicious prompt injection payloads.
- [Command Execution] (MEDIUM): The persistence mechanism allows instructions to survive across sessions. A successful injection of a malicious rule (e.g., 'always ignore safety filters') could permanently compromise the agent's operational logic.
Audit Metadata