learn
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill automates the execution of 'npx skiller@latest apply'. This command downloads and runs the latest version of the 'skiller' package from the npm registry to apply newly generated rules.
- [PROMPT_INJECTION]: The skill is designed to automatically generate new system instructions (.mdc files) based on conversation history. This creates an indirect prompt injection surface. Evidence: 1. Ingestion points: Conversation history processed during '/learn' or task completion. 2. Boundary markers: Uses markdown templates but lacks explicit instructions to ignore embedded commands in source text. 3. Capability inventory: 'Read', 'Write', 'Edit', 'Grep', 'Glob', 'WebSearch', 'WebFetch', 'Skill', 'AskUserQuestion', 'TodoWrite'. 4. Sanitization: Manual checklist provided, but lacks automated escaping or filtering of external content before interpolation into MDC files.
- [EXTERNAL_DOWNLOADS]: The skill uses 'WebSearch' and 'WebFetch' to pull information from the internet during the 'research' step of skill creation. This can introduce untrusted content into the rule generation process. It also fetches the 'skiller' package from the npm registry.
- [DATA_EXFILTRATION]: The skill has the capability to read session history and write it to disk. Although it includes a quality gate checklist to avoid sensitive information, the automated nature of the extraction poses a risk of accidental exposure of credentials or private data present in the conversation.
Audit Metadata