agent-consciousness
Fail
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to read from sensitive local paths including
~/.claude/projects/*.jsonland.entire/logs/entire.log. These files contain full transcripts of previous AI sessions which often include sensitive information, API keys, or private code snippets that are then processed and stored in the repository'sdocs/directory. - [COMMAND_EXECUTION]: The architecture requires the setup of
pre-pushgit hooks and the execution of variousmakecommands (e.g.,make smoke,make check). This allows the agent to establish persistent, automated execution of scripts within the developer's environment. - [PROMPT_INJECTION]: The 'Self-Evolution Cycle' described in the skill creates a significant indirect prompt injection vulnerability. By ingesting past conversation logs and 'crystallizing' them into architecture docs and
.control/policy.yamlrules, the system allows instructions from potentially untrusted past inputs to be promoted to enforced system behaviors. Evidence: 1. Ingestion points:~/.claude/projects/*.jsonl. 2. Boundary markers: None present. 3. Capability inventory: Writing to.control/policy.yamland managing git hooks. 4. Sanitization: No sanitization logic is described for the bridge script. - [REMOTE_CODE_EXECUTION]: The skill references an external script
scripts/conversation-history.pywhich it instructs the agent to install from a separateknowledge-graph-memoryskill. The content of this external script is not provided, making it an unverifiable dependency that executes logic on local session data.
Recommendations
- AI detected serious security threats
Audit Metadata