session-managing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill enables persistent Indirect Prompt Injection. 1. Ingestion points: Automatically reads 'doc/memory.md' and '.agent/rules/rule-one.md' at the start of every session through the INHERIT mode. 2. Boundary markers: Absent; the agent is instructed to treat these files as core principles and context without any delimiters or safety constraints. 3. Capability inventory: The skill possesses automated file-write capabilities across the 'doc/' directory to 'deposit' essence. 4. Sanitization: Absent; there is no filtering or validation to prevent the agent from saving malicious instructions encountered during a session into the permanent 'memory.md' file.
- [COMMAND_EXECUTION] (MEDIUM): The skill executes automated filesystem operations (reading and writing) based on conversation triggers. Because the 'DEPOSIT' phase is automated (only notifying the user after completion), it allows for the automated persistence of malicious logic within the project structure.
Recommendations
- AI detected serious security threats
Audit Metadata