book-tutor
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted data from external files to guide its teaching logic and update progress trackers.\n
- Ingestion points: The skill reads configuration from
CLAUDE.md, progress data from avault_trackerfile, and educational content from various chapter source files.\n - Boundary markers: There are no instructions to use delimiters or security headers when reading these files, which could allow malicious instructions hidden within book text or progress logs to override the tutor's behavior.\n
- Capability inventory: The skill has the capability to read and write files, including at absolute paths defined in the project configuration.\n
- Sanitization: The skill does not perform sanitization, escaping, or validation on the content retrieved from external source files before interpolating it into the agent's context.
Audit Metadata