self-reflection
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses high-pressure, imperative language such as 'ALWAYS', 'MUST', and 'Do NOT close a complex task without running this' to override the agent's standard task-completion criteria and ensure the protocol is executed regardless of the context.
- [COMMAND_EXECUTION]: The skill instructs the agent to perform write operations on sensitive files that define agent behavior and project constraints (e.g.,
.cursorrules,llms.txt,CLAUDE.md, and newSKILL.mdfiles). This is used to permanently modify the agent's operational environment and rule-set. - [INDIRECT_PROMPT_INJECTION]: The skill facilitates a persistent instruction poisoning loop by design. Lessons derived from potentially untrusted project content are automatically appended to root instruction files without verification.
- Ingestion points: The agent's reasoning history of the current task, which typically involves processing untrusted external data (code, PR descriptions, or bug reports).
- Boundary markers: Absent. The instructions do not provide templates for sanitizing lessons or wrapping them in 'ignore embedded instructions' delimiters.
- Capability inventory: Write access to behavioral instruction files (
.cursorrules,skills/,.ast-grep/rules/) across the entire workspace. - Sanitization: Absent. The agent is encouraged to directly append its interpretation of 'lessons' to configuration files.
Audit Metadata