inject
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Reads from sensitive file paths in the user's home directory, including ~/.agents/MEMORY.md, ~/.agents/learnings/, and ~/.claude/patterns/. This information is summarized and presented within the agent's active session context.
- [COMMAND_EXECUTION]: Instructs the agent to execute shell commands using common utilities such as sed, ls, and mkdir for knowledge discovery and directory management.
- [COMMAND_EXECUTION]: Includes a bash script template for recording citations that is susceptible to shell command injection if the filenames of the processed artifacts (provided in the list of files loop) contain shell metacharacters.
- [PROMPT_INJECTION]: Presents a surface for indirect prompt injection by ingesting and summarizing external data from the file system into the agent's context without implementing explicit sanitization or boundary markers.
- Ingestion points: Reads from ~/.agents/MEMORY.md, .agents/learnings/, and .agents/patterns/.
- Boundary markers: No delimiters or ignore-embedded-instruction warnings are specified for the injected content.
- Capability inventory: The skill utilizes mkdir, echo, ls, and sed through the agent's shell capability.
- Sanitization: No content sanitization or validation logic is present before the data is summarized.
Audit Metadata