context-window-to-skill
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface identified.
- Ingestion points: The skill ingests the entire active conversation history as a reference source.
- Boundary markers: There are no instructions to the agent to treat conversation content as untrusted or to ignore embedded instructions during the analysis phase.
- Capability inventory: The agent is instructed to use file-writing capabilities to save content to the filesystem.
- Sanitization: No sanitization or validation logic is defined to filter malicious payloads from the conversation before they are written into a new skill file.
- [COMMAND_EXECUTION]: The skill performs dynamic instruction generation and persistence.
- The skill generates new instructions (a "skill") at runtime based on external data.
- The generated content is persisted to the local filesystem in a directory used for loading agent extensions (~/.claude/skills/), which effectively creates a persistence mechanism for generated behaviors.
Audit Metadata