compound
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates the persistent storage of user-provided content, presenting an indirect prompt injection surface. Insights captured from chat history are stored in a knowledge base and are explicitly intended for future retrieval by other agents (e.g., the 'learnings-researcher'), potentially allowing malicious instructions to influence downstream tasks.\n
- Ingestion points: Insights extracted from conversation history and manual
/compoundcommand inputs.\n - Boundary markers: The skill uses YAML and Markdown templates but lacks explicit instructions to downstream agents to ignore embedded commands in stored content fields.\n
- Capability inventory: The skill has access to
Bash,Write, andGrepfor file management.\n - Sanitization: A blocking 'Validation Gate' (Step 5) enforces schema constraints, and Step 4 sanitizes filenames to mitigate path traversal and shell injection.\n- [COMMAND_EXECUTION]: The skill uses
BashandGrepto search directories and create files (e.g.,mkdir -pand pattern searching). These operations are protected by strict input validation and metadata enums defined inschema.yamlto prevent arbitrary code execution.
Audit Metadata