improve-skill
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION] (MEDIUM): The skill accesses highly sensitive directories containing AI agent session history, including
~/.claude/projects/,~/.pi/agent/sessions/, and~/.codex/sessions/. - Evidence: These logs often contain proprietary source code, internal system information, and sensitive data or credentials that may have been present in the developer's environment during a session.
- Severity Note: While this behavior is central to the skill's primary purpose, the exposure of session logs represents a significant privacy and security risk. Severity is downgraded from HIGH to MEDIUM due to the stated primary use case.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection because it processes raw session transcripts as untrusted input to generate new instructions.
- Ingestion points: Processes
.jsonlsession files via theextract-session.cjsscript. - Boundary markers: Uses
<session_transcript>tags, which provide weak delimitation and do not prevent an LLM from obeying instructions embedded within the transcript. - Capability inventory: The resulting prompts instruct the agent to write files back to skill directories (e.g.,
~/.codex/skills/), which could allow an attacker to persist malicious instructions. - Sanitization: No sanitization or filtering is performed on the transcript data before it is interpolated into the improvement prompt.
- [COMMAND_EXECUTION] (LOW): The skill executes a local script
./scripts/extract-session.cjs. While the script is part of the skill package, running arbitrary scripts to crawl the filesystem for session files is a permission-heavy operation.
Audit Metadata