skillkit
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONNO_CODE
Full Analysis
- [DATA_EXFILTRATION] (MEDIUM): The skill is configured to scan
~/.claude/projects/**/*.jsonl. These files contain sensitive user session history and raw chat logs. Accessing this directory constitutes a high-severity data exposure risk, though downgraded to MEDIUM as it is central to the skill's stated purpose of analytics. - [COMMAND_EXECUTION] (MEDIUM): The skill provides a destructive command
skillkit prune --yes. This allows the agent to perform automated, bulk deletion of files in the~/.claude/skills/directory without further human intervention if the flag is applied. - [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. The skill ingests untrusted data from session logs which may contain malicious instructions embedded in previous model outputs or tool blocks.
- Ingestion points: Reads raw JSONL session files from
~/.claude/projects/. - Boundary markers: None mentioned; the skill assumes valid
tool_useblocks. - Capability inventory: File system read, local DB write, and file deletion (
prune). - Sanitization: No sanitization or validation of the ingested log content is described.
- [NO_CODE] (SAFE): The skill instructions reference an external CLI tool
skillkit(requiring the Bun runtime), but the actual implementation of this binary is not included in the skill package for security auditing.
Audit Metadata