metacognition
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill creates an Indirect Prompt Injection surface by extracting 'perceptions' from conversation logs and injecting them into the agent's system prompt (BOOT.md).
- Ingestion points: Session logs in memory/YYYY-MM-DD.md.
- Boundary markers: Content is wrapped in marker tags in BOOT.md, but individual entries lack 'ignore instruction' delimiters.
- Capability inventory: The skill can modify agent configuration and execute subprocesses.
- Sanitization: Content is truncated to 500 characters but not sanitized for malicious instructions.
- [PROMPT_INJECTION]: The cron template in references/cron-template.md provides instructions for the agent to adopt a 'metacognition engine' persona that analyzes its own patterns and modifies its behavioral logic, representing a sensitive self-modification instruction set.
- [COMMAND_EXECUTION]: The script scripts/live_state.py attempts to execute an optional vendor-provided script scripts/snapshot_prawn.py via subprocess.run. This script is not included in the provided files.
Audit Metadata