critique
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface when processing human feedback. The user-provided
<feedback>is interpolated into the context for the/brainstormskill call without explicit sanitization or boundary markers. - Ingestion points: The
feedbackargument passed to the skill in Human Feedback mode. - Boundary markers: Absent; the feedback is passed as a string context to subsequent skills.
- Capability inventory: The skill can invoke
/brainstorm,/investigate,/formalize-problem, and/synthesize, which triggers further file reads and command executions. - Sanitization: None mentioned; the feedback is used verbatim or lightly paraphrased.
- [DATA_EXFILTRATION]: In
--codexmode, the skill extracts segments of research data, including the last five findings fromcurrent-understanding.mdand summary rows fromnotes/results.md, and sends them to an external OpenAI Codex instance via MCP. While this is the primary functionality of the consultation mode, it involves exporting internal workspace data to a third-party service. - [COMMAND_EXECUTION]: The skill orchestrates the execution of multiple other agent skills (
/brainstorm,/investigate,/formalize-problem,/synthesize) based on the classification of feedback or Codex consultation results. This creates a chain of automated actions triggered by external input. - [OTHER]: The skill includes a 'Path Resolution Protocol' that instructs the agent to manually resolve paths by substituting
{{REAPER_SKILL_DIR}}with absolute directories such as~/.claude/skills/reaper/or~/.agents/skills/reaper/. This practice guides the agent to access specific configuration and reference files outside its immediate workspace.
Audit Metadata