prompt-reviewer
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality of processing external conversation data.
- Ingestion points: The script
extract_sessions.pyreads user-provided text from local session logs in~/.claude,~/.codex, and~/.local/state/opencode. - Boundary markers: The scoring workflow lacks explicit delimiters or instructions to treat the ingested data as non-executable text, increasing the risk that the agent might follow instructions embedded within the logs.
- Capability inventory: The skill executes local Python scripts (
extract_sessions.py,save_review.py,show_trend.py,purge_sessions.py) and has the capability to delete session files. - Sanitization: No sanitization or filtering is applied to the extracted prompt content before it is presented to the agent for evaluation.
- [COMMAND_EXECUTION]: The skill relies on executing local Python scripts to manage data extraction and history.
- Evidence:
SKILL.mddirects the agent to execute several scripts (e.g.,python3 {skill_dir}/scripts/extract_sessions.py) to perform session extraction and data persistence.
Audit Metadata