team
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it processes untrusted data from external sources.
- Ingestion points: The skill reads persona files from the local filesystem and retrieves information via web search tools (mcp__exa).
- Boundary markers: Persona inputs are structured using markdown block quotes, which provides structural delimitation but does not necessarily prevent instructions within the data from being followed.
- Capability inventory: In Phase 5, all tools (ALL_TOOLS) become available for file writing and command execution, creating a path for potentially malicious instructions to be implemented.
- Sanitization: There is no explicit validation or sanitization logic to filter instructions from persona files or search results.
- [DATA_EXFILTRATION]: The skill contains a hardcoded absolute path (/Users/nke/.claude/personas/*.md) in the setup section of SKILL.md. While this does not actively exfiltrate sensitive data, it exposes specific local environment details (the author's username) which is a violation of security best practices.
Audit Metadata