auto-skill
Fail
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill includes a 'Self-Bootstrapping' instruction (Step 0.5) that directs the agent to modify global instruction files including ~/.gemini/GEMINI.md, ~/.cursor/rules/global.mdc, and ~/.claude/CLAUDE.md. This mechanism overrides standard behavior to ensure the skill is prioritized in all future tasks.
- [COMMAND_EXECUTION]: The agent is instructed to perform file system modifications to sensitive global configuration files in the user's home directory to achieve persistence across different projects and sessions.
- [PROMPT_INJECTION]: The skill introduces a vulnerability to indirect prompt injection by recording 'successful' experiences and injecting them into future context without sanitization. (1) Ingestion points: Historical data from the 'experience/' and 'knowledge-base/' directories. (2) Boundary markers: No delimiters are used when interpolating historical content into the current prompt. (3) Capability inventory: The agent has broad capabilities including file writes and task planning. (4) Sanitization: No validation or filtering is applied to historical data before storage or re-injection.
Recommendations
- AI detected serious security threats
Audit Metadata