learner
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface: The skill defines a workflow where the agent extracts principles and heuristics from the 'current conversation' to create new skills. This creates a surface for indirect prompt injection if the conversation context contains untrusted data (e.g., the agent is summarizing a malicious webpage or pull request). An attacker could plant content designed to be recognized as a 'hard-won insight' and saved as a persistent instruction.
- [COMMAND_EXECUTION]: FileSystem Persistence: The 'Step 4: Save Location' section instructs the agent to write files to
.omc/skills/or~/.claude/skills/. While this is the intended purpose of the skill, it allows for the persistence of untrusted instructions that will be loaded in subsequent agent sessions. - [PROMPT_INJECTION]: Mandatory Evidence Chain (Category 8):
- Ingestion points: Untrusted data enters the agent context via the 'current conversation' being analyzed for extraction (SKILL.md).
- Boundary markers: None. The skill relies on qualitative 'Quality Gates' rather than technical delimiters to filter content.
- Capability inventory: The agent must use its file-writing capabilities to save the extracted skills to the disk (SKILL.md, Step 4).
- Sanitization: Absent. There is no instruction to escape or sanitize the content extracted from the conversation before writing it to a new skill file.
Audit Metadata