learn
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill serves as an indirect prompt injection surface as it processes untrusted conversation history to define agent behavior rules.
- Ingestion points: Scans all user messages in the conversation and reads existing files at ~/CLAUDE.md, ~/.claude/rules/, and project memory paths.
- Boundary markers: No explicit delimiters are used to wrap or sanitize content extracted from the conversation history.
- Capability inventory: The skill uses file system tools to read, list, and surgically edit configuration files.
- Sanitization: Content is displayed to the user for approval but is not programmatically sanitized for injection payloads. This behavior is consistent with the skill's primary purpose of learning from user input and includes a human-in-the-loop safety checkpoint.
Audit Metadata