money-learn

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFE
Full Analysis
  • [PROMPT_INJECTION]: The skill architecture creates a persistent memory system that auto-loads data from a local file (learnings.jsonl) into the prompt context of multiple other skills. While this is the intended purpose, it establishes an indirect prompt injection surface.
  • Ingestion points: Data enters the agent context from the file located at ~/.smtm/projects/{slug}/learnings.jsonl (found in SKILL.md).
  • Boundary markers: The instructions do not specify the use of delimiters (e.g., XML tags or backticks) or 'ignore embedded instructions' warnings when auto-loading learnings into other skills' preambles.
  • Capability inventory: The skill suite is designed to perform file read and write operations on the local file system.
  • Sanitization: There are no explicit instructions to sanitize or validate the content of the 'pattern' or 'evidence' fields before they are injected into the agent's reasoning chain.
  • [DATA_EXFILTRATION]: The skill manages application data within the user's home directory.
  • Evidence: Interacts with paths matching ~/.smtm/projects/{slug}/learnings.jsonl (found in SKILL.md).
  • Analysis: The use of a dynamic {slug} variable in file paths is for project organization. While theoretically a surface for path traversal if handled incorrectly by the agent, it is used here as a standard organizational pattern for the tool's own data and does not target known sensitive system files.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 03:34 PM
Security Audit — agent-trust-hub — money-learn