notepad-system
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a context restoration protocol that reads data from a local file and instructs the agent to treat it as high-priority context.
- Ingestion points: The agent reads state information from
~/.claude/projects/<project-hash>/notepad.mdduring the recovery phase. - Boundary markers: The protocol uses Markdown headers (
# Notepad,## Priority Notes) to organize data, but it lacks explicit protective delimiters or instructions to ignore potential commands embedded within the notes. - Capability inventory: The skill performs file system read/write operations and directly interpolates retrieved content into the active agent context.
- Sanitization: There is no validation or sanitization of the content retrieved from the notepad file, as the goal is to faithfully restore previous session state.
- [COMMAND_EXECUTION]: The skill documentation provides shell command examples for manually interacting with the notepad storage.
- Evidence: Use of the
catcommand is referenced for reading the state file at~/.claude/projects/<hash>/notepad.md.
Audit Metadata