lesson
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface
- Ingestion points: Recent conversation context (untrusted user input) analyzed in SKILL.md.
- Boundary markers: None; there are no delimiters or instructions to ignore malicious directives embedded within the 'lessons' being extracted.
- Capability inventory: Modifying the
SKILL.mdfile and updating long-term memory entries via internal storage tools. - Sanitization: No sanitization or validation of the extracted 'lesson' or 'decision principle' is performed before persistence.
- [PROMPT_INJECTION]: Instruction Persistence via Self-Modification
- The rule 'If the lesson also affects a checklist or SKILL.md, update those files too' creates a risk where an attacker can provide a 'lesson' that includes malicious instructions. If the agent accepts this as a valid insight, it will rewrite its own
SKILL.md, leading to a persistent and difficult-to-detect prompt injection that affects all future sessions.
Audit Metadata