learner
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill implements a 'learning' mechanism that transforms untrusted conversation data into persistent instructions. It extracts heuristics from the current context and writes them to files in '~/.codex/skills/' or '.omx/skills/'. This enables a persistent indirect prompt injection attack where malicious patterns are encoded as 'skills' and automatically loaded in future sessions to bypass safety or exfiltrate data. The 'Quality Validation' step is performed by the AI itself and is trivially bypassable.
- [DATA_EXFILTRATION] (LOW): The extraction process encourages the storage of sensitive environment data. It explicitly instructs the agent to include 'actual error messages, file paths, line numbers' in the saved markdown files. This can lead to the accidental persistence of API keys, tokens, or sensitive internal paths discovered during a debugging session into local storage.
Recommendations
- AI detected serious security threats
Audit Metadata