dream
Pass
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes data from untrusted external sources and integrates it into the knowledge base.
- Ingestion points: Untrusted data enters the agent context from files in the
raw/inbox/directory (Step 3) and from external content fetched via URLs in thesources:metadata field (Step 8). - Boundary markers: The instructions do not define delimiters or specific warnings to prevent the agent from following instructions embedded within the ingested data.
- Capability inventory: The skill performs file reads, writes, and deletions across the KB directory and executes network requests to fetch remote content.
- Sanitization: There is no evidence of sanitization or validation of the ingested content before it is used to update or merge notes.
- [EXTERNAL_DOWNLOADS]: The skill performs network operations to retrieve data from URLs defined in a note's metadata.
- Evidence: Step 8 (Refresh from sources) explicitly instructs the agent to fetch content from remote URLs, such as
llms.txtfiles, when a note is considered stale. - [COMMAND_EXECUTION]: The skill's core functionality involves managing the local file system within the KB path.
- Evidence: Steps 3 through 12 involve multiple file system operations, including reading note content, writing merged or split notes, and deleting processed inbox files or pruned notes.
Audit Metadata