learn
Fail
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to capture user input and store it as 'lessons' in Markdown files (e.g.,
docs/project-reference/lessons.md) that are automatically injected into the agent's prompt during every future task. This creates a persistent surface for indirect prompt injection. - [COMMAND_EXECUTION]: The skill explicitly instructs the agent to modify executable JavaScript files in the
.claude/hooks/directory (specificallyprompt-injections.cjs) to 'promote' lessons. Appending user-influenced strings to executable scripts allows for arbitrary code execution whenever these hooks are triggered by the platform. - [REMOTE_CODE_EXECUTION]: By modifying local
.cjshook files with unvalidated user content, the skill enables a form of local code injection that functions similarly to remote code execution once the malicious payload is successfully stored and subsequently executed by the agent's runtime environment. - [INDIRECT_PROMPT_INJECTION_SURFACE]: The skill possesses a wide attack surface for indirect injection:
- Ingestion points: Captures lessons from any user instruction or conversation triggered by phrases like 'remember this' or 'always do'.
- Boundary markers: Absent; lessons are appended to files and later injected into prompts without delimiters or instructions to ignore nested commands.
- Capability inventory: The skill utilizes
Write,Edit, andBashtools to modify both documentation and executable script files. - Sanitization: Absent; while a 'Lesson Quality Gate' exists to ensure lessons are generic, there is no validation to prevent malicious instructions or code snippets from being saved.
Recommendations
- AI detected serious security threats
Audit Metadata