claude-reflection
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill's core function is to ingest untrusted data from interactions to build persistent knowledge, creating a significant injection surface.
- Ingestion points: Processes 'Direct Correction', 'Preference', and 'Repeated Pattern' triggers from user-provided text or workflow data.
- Boundary markers: The documentation does not specify the use of delimiters or 'ignore embedded instructions' prompts when processing or storing these learnings.
- Capability inventory: Possesses file-write capabilities to the user's home directory (
~/.claude/memory/) to persist YAML files. - Sanitization: No sanitization or validation logic is described for the content being abstracted and stored.
- [Data Exposure] (LOW): The skill writes potentially sensitive user preferences and workflow patterns to the local file system (
~/.claude/memory/). While this is the intended purpose, it establishes a repository of sensitive information that other processes or skills could potentially access.
Audit Metadata