extract-transcripts
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill processes past conversation history, which constitutes untrusted data. * Ingestion points: JSONL files in ~/.claude/ and ~/.codex/ directories. * Boundary markers: Uses basic Markdown headers (e.g., ## Assistant) which are insufficient to prevent the agent from obeying instructions embedded within the transcript. * Capability inventory: Output is consumed by Claude Code and Codex CLI, which possess system-level capabilities like command execution. * Sanitization: No sanitization or escaping of the transcript content is performed.
- DATA_EXFILTRATION (HIGH): The skill accesses and exposes sensitive conversation history and environment metadata. * Evidence: It reads session files containing full conversation logs and metadata from user-specific directories. Accessing these sensitive paths and rendering them to the agent context creates a high risk of data exposure.
Recommendations
- AI detected serious security threats
Audit Metadata