post-task-learning-review

Warn

Audited by Gen Agent Trust Hub on Jul 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/install.sh modifies the ~/.codex/AGENTS.md file by appending rules from the skill. This is a global configuration file that determines agent behavior across all sessions, and modifying it represents a persistent change to the agent's core instructions.
  • [EXTERNAL_DOWNLOADS]: The installation guide recommends using npx skills add to fetch the skill from https://github.com/nangongwentian-fe/jay-skills. While this repository belongs to the author, the process involves downloading and preparing code from a remote source for execution.
  • [PROMPT_INJECTION]: The skill's primary function is to analyze task history for learning, which presents a risk of indirect prompt injection.
  • Ingestion points: The SKILL.md review workflow instructs the agent to analyze task logs and results to identify lessons.
  • Boundary markers: The instructions do not define delimiters or provide warnings to ignore malicious commands that might be embedded in the processed task data.
  • Capability inventory: The skill has the capability to update agent memory, modify project documentation, and create or update other skills using the $skill-creator tool.
  • Sanitization: There is no mechanism described to sanitize or validate extracted lessons before they are used to update system instructions or persistent documentation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 5, 2026, 03:50 PM
Security Audit — agent-trust-hub — post-task-learning-review