learn
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by capturing untrusted user or data-driven input as 'learnings' which are later persisted into core instruction files like global.md and AGENTS.md. This could lead to permanent behavioral overrides if malicious corrections are accepted. \n
- Ingestion points: Untrusted data enters the context via the $ARGUMENTS field defined in SKILL.md and is managed by scripts/state.py. \n
- Boundary markers: There are no explicit delimiters or 'ignore embedded instructions' warnings applied to the captured text before it is written to target files. \n
- Capability inventory: The skill has the capability to modify global and project-level instruction files and execute host commands (wagents validate). \n
- Sanitization: No content validation or escaping is performed on the ingested text before interpolation. \n- [COMMAND_EXECUTION]: The verification protocol in SKILL.md and the evaluation files specify that the agent must execute the 'wagents validate' command on the host system to verify any changes made to the instruction files.
Audit Metadata