improve-skill
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local script
scripts/extract-session.jsto extract data from agent session history.- [DATA_EXFILTRATION]: The skill accesses sensitive directory paths including~/.claude/projects/and~/.codex/sessions/to read session transcripts. These transcripts frequently contain proprietary code, environment details, and potentially sensitive credentials or data discussed during agent sessions.- [PROMPT_INJECTION]: The skill processes untrusted data from session history, creating an indirect prompt injection surface. - Ingestion points: Transcripts extracted from local JSONL logs are directly interpolated into new prompts.
- Boundary markers: The prompt template uses simple
<session_transcript>tags which can be bypassed by malicious content in the session history. - Capability inventory: The agent is subsequently instructed to write files to the filesystem based on the analysis of the untrusted transcript.
- Sanitization: No validation or sanitization is performed on the extracted content to prevent embedded instructions from being executed by the agent in the new session.
Audit Metadata