napkin
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by mandating that the agent read and silently internalize instructions from
.claude/napkin.mdat the beginning of every session.\n - Ingestion points: The file
.claude/napkin.mdwithin the repository serves as the primary ingestion point for untrusted data.\n - Boundary markers: Absent. The skill provides no delimiters or instructions to treat the content of the runbook as untrusted; instead, it explicitly tells the agent to "apply it silently."\n
- Capability inventory: The agent's existing capabilities (such as filesystem access and terminal execution) provide a target for malicious instructions stored in the napkin file.\n
- Sanitization: Absent. There are no mechanisms described for validating, escaping, or filtering the data read from the napkin file before it influences agent behavior.
Audit Metadata