forge-persona
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses multiple external Python scripts (e.g., wechat_parser.py, social_parser.py, journal_analyzer.py) to process user data. These scripts are not included in the provided files, so their internal logic and security cannot be audited.- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) through the ingestion of external data.
- Ingestion points: Raw chat logs and social media content are ingested in Phase 1 of SKILL.md.
- Boundary markers: No explicit markers or instructions are provided to the agent to isolate the ingested text from its operational logic.
- Capability inventory: The skill possesses powerful capabilities including Bash execution and full file system access (Read/Write/Edit).
- Sanitization: No validation or sanitization of external text is performed before it is processed by the persona builder prompts.
Audit Metadata