open-insights
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local TypeScript script (
./scripts/scan.ts) using the Bun runtime to automate the collection and conversion of IDE logs into markdown format. - [DATA_EXFILTRATION]: The skill accesses sensitive local directories including
~/.cursor/projectsand the Cursor IDE's workspace storage to read conversation transcripts and project metadata. While these logs may contain proprietary code or sensitive data, their access is necessary for the skill's stated goal of session analysis. - [EXTERNAL_DOWNLOADS]: The HTML report template (
temp/report_temp.html) references font assets from Google's well-known service (fonts.googleapis.com), which is a safe external reference. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted conversation transcripts during analysis.
- Ingestion points: Reads transcripts from
~/.agent-insights/conversations/into LLM prompts. - Boundary markers: Uses specific headers like "会话内容:" but lacks robust sanitization to prevent embedded instructions in the logs from influencing the summary or feature extraction logic.
- Capability inventory: Filesystem read/write operations via script and report generation.
- Sanitization: No explicit escaping or filtering is applied to transcript content before processing.
Audit Metadata