post-task-learning-review
Warn
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/install.shmodifies the~/.codex/AGENTS.mdfile by appending rules from the skill. This is a global configuration file that determines agent behavior across all sessions, and modifying it represents a persistent change to the agent's core instructions. - [EXTERNAL_DOWNLOADS]: The installation guide recommends using
npx skills addto fetch the skill fromhttps://github.com/nangongwentian-fe/jay-skills. While this repository belongs to the author, the process involves downloading and preparing code from a remote source for execution. - [PROMPT_INJECTION]: The skill's primary function is to analyze task history for learning, which presents a risk of indirect prompt injection.
- Ingestion points: The
SKILL.mdreview workflow instructs the agent to analyze task logs and results to identify lessons. - Boundary markers: The instructions do not define delimiters or provide warnings to ignore malicious commands that might be embedded in the processed task data.
- Capability inventory: The skill has the capability to update agent memory, modify project documentation, and create or update other skills using the
$skill-creatortool. - Sanitization: There is no mechanism described to sanitize or validate extracted lessons before they are used to update system instructions or persistent documentation.
Audit Metadata