reflect
Pass
Audited by Gen Agent Trust Hub on Jul 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell commands (
ls) to search for and identify the most recent conversation transcript files within the project environment. - [PROMPT_INJECTION]: The skill is designed to process untrusted data from conversation transcripts, creating an indirect prompt injection surface (Category 8).
- Ingestion points: Conversation transcript files in
.jsonlformat are read and passed to parallel reviewer subagents for analysis. - Boundary markers: Subagent prompts in the
references/directory contain explicit instructions to treat transcripts as untrusted data and ignore any embedded directives or instructions framed as user or system commands. - Capability inventory: The parent agent maintains file system write access for skill modification, while the reviewing subagents are restricted to read-only MCP tool access for context verification.
- Sanitization: The security of the skill relies heavily on a mandatory human-in-the-loop approval step (Step 5), where the user must manually review and authorize any proposed skill edits before they are applied to the system.
Audit Metadata