learn
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Uses shell commands such as
find,wc,grep,sed, andxargsinSKILL.md(Step 1) to identify existing assistant configuration files and skill definitions within the local file system. - [PROMPT_INJECTION]: Vulnerable to indirect prompt injection because it processes untrusted data from conversation history to generate instructions that are persisted in project-level configuration files (e.g.,
CLAUDE.md,.cursorrules,.continuerc.json). - Ingestion points: The skill analyzes conversation history as defined in
SKILL.md(Step 2) to extract "Discoveries", "Workflows", and "Corrections". - Boundary markers: Lacks programmatic delimiters to isolate untrusted data during analysis, but utilizes a procedural boundary via Step 5's mandatory human review process.
- Capability inventory: The skill has permissions to write to multiple assistant configuration files and create new executable skill definitions in the
skills/directory (Step 6). - Sanitization: Incorporates a "Minimum viable rule text" audit to trim rule content and requires explicit user approval before any file system modifications are executed.
Audit Metadata