learn-session
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill analyzes conversation history to extract persistent rules, creating a vulnerability where malicious instructions in session data could be promoted to permanent configuration.
- Ingestion points: Reads conversation history and project-specific rule files (AGENTS.md, .claude/agents/*.md).
- Boundary markers: Lacks markers to distinguish between trusted instructions and untrusted session data.
- Capability inventory: Designed to modify persistent project files including AGENTS.md and .claude/agents/*.md.
- Sanitization: No sanitization is implemented to filter or validate findings before they are presented for persistence.
- [COMMAND_EXECUTION]: The skill instructs the agent to use a shell command (echo "$PWD" | tr '/' '-') to dynamically resolve the project's memory file path in the ~/.claude/ directory.
Audit Metadata