money-restore
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses an ingestion surface for indirect prompt injection as it reads and parses content from local session files.
- Ingestion points: Markdown and YAML snapshot files located in
~/.smtm/sessions/{project}/. - Boundary markers: Absent; the instructions do not define specific delimiters to isolate potentially untrusted content from the files.
- Capability inventory: The skill relies on file-reading capabilities to retrieve state. It explicitly prohibits the autonomous execution of subsequent skills (Step 5), which limits the impact of potential injections.
- Sanitization: Absent; the instructions direct the agent to parse and present the content of the snapshot files verbatim.
- [SAFE]: No malicious prompt injection markers or attempts to bypass safety filters were found in the instructions.
- [SAFE]: The skill does not perform any network operations or external data exfiltration. All data operations are restricted to a local application-specific directory.
- [SAFE]: No credential harvesting or access to sensitive system paths (e.g., .ssh, .aws, .env) was detected.
- [SAFE]: No remote code execution or dynamic code generation patterns are present.
Audit Metadata