aprende
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
Write,Edit, andBashtools to modify configuration files such asCLAUDE.md,AGENTS.md, and creates new skill stubs (SKILL.md) in both local project directories and the user's home directory (~/.claude/). While this is the intended purpose, it represents an automated modification of the agent's operating environment. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it scans the entire conversation transcript (which may include untrusted content from the web or other files) to generate durable instructions for future sessions. A malicious payload within the processed data could attempt to trick the agent into 'learning' a rule that undermines security in future sessions.
- Ingestion points: The current conversation transcript and a signal file (
.aprende-signals.md) are the primary data inputs. - Boundary markers: The skill utilizes clear internal workflow steps (Pass A through Pass E) but does not apply specific sanitization to the extracted text before proposing it to the user.
- Capability inventory: The agent has the ability to write executable-like skill stubs and project-level instructions using the
WriteandEdittools. - Sanitization: Content is not sanitized; the system relies entirely on the human-in-the-loop confirmation step (Pass D) as the primary safeguard.
- [SAFE]: The skill explicitly forbids automatic writing, requiring the user to approve specific numbered candidates before any file system changes occur. It also implements unique filename generation (appending suffixes) to prevent accidental overwriting of existing memory files.
Audit Metadata