context-recovery
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell scripts to search for and read files on the host system, executing commands like
ls,grep,jq, andcatwith wildcards in the user's home directory (~/.clawdbot-*and~/clawd-*) to find session logs and memory files. - [DATA_EXFILTRATION]: Accesses sensitive internal storage for agent conversation logs and shared memory files located at
~/.clawdbot-*/agents/*/sessionsand~/clawd-*/memory/. While used for context restoration, these files contain private conversation history and potentially sensitive data from past interactions. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection from untrusted data sources. Ingestion points: Retrieves external message history via
message:readfrom chat platforms (Discord, Slack, etc.) and processes local.jsonlsession files. Boundary markers: No explicit boundary markers or directives are used to distinguish untrusted recovered content from core instructions. Capability inventory: Includes shell command execution, file read access, and file-write access to memory directories. Sanitization: There is no evidence of input validation or sanitization of external content before it is integrated into the agent's working context.
Audit Metadata