filesystem-context
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill teaches patterns for offloading tool outputs to files and loading them on-demand, as well as 'learning through self-modification' where the agent updates its own instruction files. These patterns create a surface for indirect prompt injection and persistent instruction poisoning.
- Ingestion points: Files in 'scratch/' (derived from tool outputs) and 'agent/user_preferences.yaml' (derived from session learning).
- Boundary markers: Absent; the skill does not instruct the agent to use delimiters or ignore embedded commands when reading back context.
- Capability inventory: The agent uses 'read_file', 'write_file', and shell search tools like 'grep'.
- Sanitization: Absent; the skill notes the need for guardrails in a 'Caution' section but provides no implementation or concrete validation steps.
- [COMMAND_EXECUTION]: The skill recommends using shell-based tools such as 'grep' and 'glob' to discover and search context files. If the search patterns or file paths are generated from untrusted external input without rigorous sanitization, it could lead to command injection or unauthorized access to sensitive files on the host system.
Audit Metadata