corpus-persona-extraction
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from external session logs to synthesize persona models. \n- Ingestion points: The skill reads from a corpus of session files, including JSONL, markdown exports, and message-atom extracts, as defined in the inputs section of
SKILL.md. \n- Boundary markers: The instructions lack explicit boundary markers or directives to the agent to treat the content of the logs strictly as data and to ignore any embedded commands. \n- Capability inventory: The skill is granted permissions to read the filesystem and create files (reads-filesystem,creates-files), which could be misused if an injection attack is successful. \n- Sanitization: While a redaction step for PII and secrets is mentioned, there is no validation or escaping of the input content to prevent instructions within the corpus from overriding the agent's behavior.
Audit Metadata