style-learner
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests untrusted text from local markdown files via the Read tool to extract style patterns and metrics. Maliciously crafted exemplar text could contain instructions that manipulate the agent's behavior during the style profile generation or later content creation steps. \n
- Ingestion points: Local markdown files read by the agent (e.g., README.md, blog-post-1.md). \n
- Boundary markers: The instructions do not define clear boundaries or provide explicit isolation instructions to the agent for the ingested file content. \n
- Capability inventory: The skill utilizes tools with significant capabilities including Write, TodoWrite, and Bash, which could be leveraged if an injection is successful. \n
- Sanitization: There is no evidence of input validation or sanitization of the file content before processing. \n- [COMMAND_EXECUTION]: The skill includes technical analysis logic implemented as Bash and Python script snippets. \n
- Evidence: File
modules/feature-extraction.mdcontains Bash commands (awk, tr, grep, bc) and a Python script (using re and statistics) for calculating stylistic metrics. \n - Context: These scripts are intended to run on the local filesystem to analyze text density and complexity. While the logic is benign and used for the skill's primary function, the execution of scripts on user-provided data is a relevant architectural characteristic.
Audit Metadata