distill
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill's operations are confined to the local environment and its stated purpose of knowledge distillation. No malicious patterns or exfiltration attempts were detected.
- [COMMAND_EXECUTION]: The skill utilizes standard system commands such as
find,grep,git, andghqto traverse and read local project files. These operations are used strictly for data gathering within the local workspace. - [PROMPT_INJECTION]: The instructions prioritize extreme autonomy (e.g., 'Never ask the user anything', 'No human in the loop'). While this reduces user oversight, it aligns with the skill's functional requirement for automated processing and does not attempt to bypass core safety guardrails.
- [DATA_EXFILTRATION]: No network exfiltration patterns or external communication to non-whitelisted domains were found. Results are written to the local file system and logged via a local MCP tool.
- [PROMPT_INJECTION]: The skill processes data from various local memory files which represents a potential indirect prompt injection surface.
- Ingestion points: Multiple files are read from directories including
ψ/memory/retrospectives/andψ/memory/learnings/. - Boundary markers: The skill includes specific instructions for subagents to return 'STRUCTURED DATA only' and 'Raw signal' to mitigate the risk of obeying instructions embedded in the data.
- Capability inventory: The skill has the capability to execute shell commands, write files to the local disk, and trigger MCP tools.
- Sanitization: There is no explicit evidence of escaping or content validation for the data read from the files.
Audit Metadata