fyi
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill possesses a vulnerability surface for indirect prompt injection because it stores untrusted user input for later retrieval and review.
- Ingestion points: Untrusted data enters via the
$ARGUMENTSvariable inSKILL.mdduring Mode 2. - Boundary markers: No structural boundary markers (like XML tags or unique delimiters) are defined for the file content, though the skill provides instructional boundaries ("treat as raw text").
- Capability inventory: Includes file system write access via the
Write tool, file system read access forINDEX.md, and side-effect capability via theoracle_learn()function. - Sanitization: Relies on instructional constraints ("Do not run bash commands", "treat as raw text") rather than programmatic sanitization or strict schema validation of the user-provided content.
- [Command Execution] (LOW): There is a theoretical risk of command injection if the agent improperly handles the generation of the 'slug' from user-controlled arguments when creating filenames, although the skill explicitly forbids bash execution.
Audit Metadata