inscribe
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection surface identified. The skill ingests untrusted data from the conversation history and user parameters, which are then persisted into files that define the agent's system instructions (such as AGENTS.md or CLAUDE.md). This creates a path where malicious conversation content could influence the agent's core behavior across future sessions.
- Ingestion points: Conversation context and explicit guideline parameters are used as inputs in SKILL.md.
- Boundary markers: The skill incorporates manual checkpoints, requiring the agent to confirm the identified conventions and the final draft with the user before performing any write operations (Steps 0, 4, and 5).
- Capability inventory: The skill utilizes Read, Edit, Write, Glob, and Grep tools to modify project-level documentation and agent-specific configuration files in the home directory (~/.claude/, ~/.config/opencode/, ~/.codex/).
- Sanitization: There is no evidence of sanitization or escaping of the ingested content before it is written to the target documentation files.
- [DATA_EXFILTRATION]: The skill identifies and accesses sensitive configuration directories in the user's home path, including ~/.claude/, ~/.config/opencode/, and ~/.codex/, to manage global agent instructions. While the skill's primary purpose is to manage these files and no network transmission was observed, accessing configuration files that control agent behavior is a sensitive operation.
Audit Metadata