learn
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the conversation history and has the capability to persist this data into project-level instructions or new executable skills.
- Ingestion points: Conversation history analyzed in Step 2 of SKILL.md to extract "lessons learned".
- Boundary markers: The skill does not utilize boundary markers or explicit instructions to ignore embedded prompts within the extracted content when writing to files.
- Capability inventory: The skill has file system write access (Step 5 of SKILL.md) to modify project instructions (e.g., CLAUDE.md, .cursorrules) and create new skill files.
- Sanitization: There is no automated sanitization, validation, or filtering of the extracted content before it is written; the process relies on a human-in-the-loop confirmation (Step 4) which serves as a mitigation but does not technically prevent the vulnerability.
Audit Metadata