instincts
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to capture behavioral rules ('instincts') from user input and re-apply them in future sessions. This creates a surface for Indirect Prompt Injection.
- Ingestion points: Captures 'Explicit corrections', 'Approved patterns', and 'Repeated observations' from user interactions.
- Boundary markers: The YAML storage format (
.agents/instincts.yaml) does not specify delimiters or warnings to ignore embedded instructions within the stored 'rule' field. - Capability inventory: The skill reads from and writes to the local file system (
.agents/instincts.yaml), executesgrepfor searching, and invokes a CLI tool (LEARNINGS_CLI) for indexing. - Sanitization: There is no evidence of sanitization for user-provided strings before they are stored as behavioral rules or interpolated into commands.
- [COMMAND_EXECUTION]: The skill uses shell command templates to manage the learning lifecycle.
- Search logic: Uses
grep -i "{keyword}" .agents/instincts.yamlto check for existing rules. If the{keyword}is derived from unescaped user input, it may be vulnerable to command injection. - Promotion logic: Executes a CLI tool defined by environment variables:
"$LEARNINGS_CLI" add docs/solutions/instincts/{instinct-id}.md. If the{instinct-id}is not strictly validated, it could lead to path traversal or command injection.
Audit Metadata