learn
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill implements a 7-phase pipeline that includes 'WebSearch' and 'WebFetch' (Phase 3/5) to ingest external data. This data is then used in Phase 6 ('Compound') to update a permanent knowledge base and in Phase 7 ('Renormalize') to evolve the skill's own schema (Σ → Σ'). Malicious instructions embedded in processed web content could manipulate this process, leading to persistent 'poisoning' of the agent's logic and behavior.- [Dynamic Execution / Self-Modification] (HIGH): The skill explicitly targets 'homoiconicity' (Σ.can_process(Σ)) and 'Recursive self-improvement'. By using allowed tools like 'Edit' and 'Write' to modify its own files based on external 'learnings', the skill functions as self-modifying code. This capability is difficult to audit and can be used to bypass safety constraints or establish persistence after an initial injection.- [Data Exposure] (LOW): The local script 'scripts/validate.py' is designed to crawl the skill's directory and read all markdown files to calculate topology metrics (η density). While intended for validation, this pattern demonstrates automated local file reading capabilities.- [Command Execution] (MEDIUM): The '3-execute.md' phase and 'orchestrator.md' describe the ability to 'strategize' and execute plans involving parallel subprocesses and tool calls. When combined with the self-modifying schema, this grants the agent broad latitude to execute complex, potentially unverified command sequences.
Recommendations
- AI detected serious security threats
Audit Metadata