brain-load
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes content from untrusted Logseq markdown files without employing isolation techniques or boundary markers. \n
- Ingestion points: Untrusted data enters the context from markdown files in the
pages/andjournals/directories, as well as potentialplan.mdfiles in task folders (SKILL.md). \n - Boundary markers: Absent. There are no instructions to the agent to wrap external content in delimiters or to ignore instructions embedded within the loaded files. \n
- Capability inventory: The skill uses file system tools for reading (targeted reads, globbing), searching (grep), and writing (journey-log updates). \n
- Sanitization: Absent. Content is presented to the agent for context restoration without filtering or escaping. \n- [COMMAND_EXECUTION]: The cross-graph search algorithm in
references/search.mdinstructs the agent to executegrepusing user-supplied search terms. If the agent implements this via a shell-based tool without rigorous sanitization of the input term, it could be vulnerable to command injection.
Audit Metadata