horizon-track
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests, stores, and later retrieves untrusted user content (objective names, milestone criteria, and session summaries) which could contain malicious instructions designed to influence the agent's behavior during future sessions.
- Ingestion points: Untrusted data enters the agent context via the
<objective-name>argument and during session updates where users define milestones and progress. - Boundary markers: The skill instructions do not specify any delimiters or warnings to the agent to disregard instructions embedded within the tracked data.
- Capability inventory: The skill allows the use of powerful tools including
Bash,Read, andWrite, alongside multiple memory and session management tools (mcp__claude-flow__*). - Sanitization: There are no instructions for validating, escaping, or filtering the external content provided by the user before it is stored or processed.
Audit Metadata