skill-evolution
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill's primary mechanism creates a significant surface for indirect prompt injection by learning from untrusted user interactions.\n
- Ingestion points: User-provided edits to code and text are monitored via
PostToolhooks inreferences/evolution-analysis.md.\n - Boundary markers: The system lacks delimiters or instructions to ignore embedded commands within user edits, making it possible for users to intentionally inject patterns.\n
- Capability inventory: The skill uses
WriteandEdittools to modifySKILL.mdinstruction files and create new documentation in thereferences/directory.\n - Sanitization: There is no validation or sanitization of the patterns detected in user edits before they are suggested for integration into the skill's base instructions.\n- [COMMAND_EXECUTION]: The skill manages agent instructions at runtime and executes local shell scripts based on user input.\n
- Dynamic Instruction Modification: The skill incorporates an 'Auto-Evolution' feature where high-confidence (0.85+) suggestions are applied to modify
SKILL.mdfiles automatically, potentially altering the agent's security posture or behavior without direct oversight.\n - Local Script Execution: Subcommands directly invoke shell scripts (
evolution-engine.shandversion-manager.sh) located in the project's hidden configuration directory to perform operations on the filesystem.
Audit Metadata