session
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute local bash scripts by interpolating potentially untrusted variables into command strings.
- Evidence: In
references/session-control.md, the instruction./scripts/session-control.sh --fork <id|current> --reason "<text>"uses thefork_reasonvariable inside double quotes, which is vulnerable to command injection if the text contains characters like$(...)or backticks. - Evidence: In
references/state-transition.md, the variableevent_datais interpolated into a shell command:./scripts/session-state.sh --state <state> --event <event> [--data <json>]. Direct interpolation of JSON strings into shell commands without escaping is a high-risk pattern. - [PROMPT_INJECTION]: The skill facilitates indirect prompt injection through its cross-session communication feature.
- Ingestion points: Data is read from
.claude/state/session.events.jsonl, which stores messages broadcast from other sessions. - Boundary markers: No delimiters or safety instructions are provided to the agent to treat this external session data as untrusted content.
- Capability inventory: The skill uses
Bash,Write, andEdittools to process and act upon the data received from these events. - Sanitization: There is no evidence of sanitization or validation logic to ensure that incoming messages do not contain malicious instructions or shell injection payloads.
Audit Metadata