reflect
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on several internal scripts (Python and Bash) to manage state, detect signals, and generate outputs. These scripts perform standard file system operations, git commands, and metrics updates within the scoped environment.
- [EXTERNAL_DOWNLOADS]: The skill uses 'uv' for dependency management (e.g., in hooks/precompact_reflect.py) and mentions the requirement for 'pyyaml'. These are standard development dependencies and do not involve untrusted remote code execution.
- [PROMPT_INJECTION]: As the skill processes conversation transcripts to extract rules, it is theoretically susceptible to indirect prompt injection (Category 8) where malicious text in a conversation could be interpreted as a 'learning'. However, the skill provides robust mitigation by requiring explicit user review and approval (diff view) for every proposed change before application or indexing.
- Ingestion points: scripts/signal_detector.py (reads conversation history from files or stdin).
- Boundary markers: The detector uses specific regex patterns to identify directives, but does not use explicit delimiters for the raw input text.
- Capability inventory: The skill uses the Edit and Write tools to modify agent files and knowledge documents; Bash tool is used for git operations and indexing.
- Sanitization: scripts/signal_detector.py normalizes extracted strings and the skill implements a mandatory 'Human-in-the-Loop' workflow to prevent unauthorized changes.
Audit Metadata