reflect
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes conversation transcripts which are untrusted data and could contain indirect prompt injection attacks.
- Ingestion points: Transcript files in JSONL format are loaded from the workspace directory as specified in the SKILL.md process.
- Boundary markers: All reviewer prompts in the references directory contain explicit instructions to treat transcripts as untrusted and to disregard instructions contained within them.
- Capability inventory: Reviewer subagents are configured with read-only access to local context via MCP tools. The parent agent handles the capability to modify and create skills.
- Sanitization: A human-in-the-loop checkpoint is enforced in Step 5, requiring explicit user approval for any and all suggested skill edits before they are applied.
- [COMMAND_EXECUTION]: The skill utilizes the
lscommand to retrieve a list of recent transcript files for analysis. This is a functional requirement for locating the correct chat session context and is constrained to the workspace transcript directory.
Audit Metadata