corpus-persona-extraction

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from external session logs to synthesize persona models. \n- Ingestion points: The skill reads from a corpus of session files, including JSONL, markdown exports, and message-atom extracts, as defined in the inputs section of SKILL.md. \n- Boundary markers: The instructions lack explicit boundary markers or directives to the agent to treat the content of the logs strictly as data and to ignore any embedded commands. \n- Capability inventory: The skill is granted permissions to read the filesystem and create files (reads-filesystem, creates-files), which could be misused if an injection attack is successful. \n- Sanitization: While a redaction step for PII and secrets is mentioned, there is no validation or escaping of the input content to prevent instructions within the corpus from overriding the agent's behavior.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 12:02 PM
Security Audit — agent-trust-hub — corpus-persona-extraction