context-recovery
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Step 4 executes
grepusing keywords extracted from untrusted external chat history without sanitization. An attacker can craft messages with shell metacharacters to execute arbitrary commands on the host system. - [COMMAND_EXECUTION]: Step 6 uses an unquoted shell heredoc (
<< EOF) which allows the shell to interpret and execute command substitutions (like$(...)) if they are present in the recovered text sourced from chat history. - [DATA_EXFILTRATION]: The skill accesses broad file paths like
~/.clawdbot-*/agents/*/sessionsand~/clawd-*/memory/. This exposes cross-session data and sensitive agent history to potential extraction or unauthorized viewing via the recovery summary. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. Ingestion points: External chat messages from Discord, Slack, etc. fetched in Step 2. Boundary markers: No delimiters or ignore-instructions markers are used when parsing history. Capability inventory: Significant shell capabilities (grep, jq, cat, ls) and broad filesystem access. Sanitization: None; untrusted data is directly interpolated into shell commands.
- [PROMPT_INJECTION]: The automatic triggers for context recovery can be spoofed by users sending specific keywords like
<summary>or 'context limits', forcing the agent to reveal internal state or perform unauthorized data searches.
Recommendations
- AI detected serious security threats
Audit Metadata