continue-claude-work
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8).
- Ingestion points:
scripts/extract_resume_context.pyreads and parses transcript files (.jsonl) from~/.claude/projects/which contain historical user messages and tool outputs. - Boundary markers: Absent. The extracted content is placed into the current conversation under Markdown headers like 'Last User Requests' and 'Compact Summary' without specific instructions for the agent to disregard embedded commands or treat the text as untrusted data.
- Capability inventory: The skill enables the agent to execute Python scripts and Git commands. The recovered context is intended to drive further actions using the agent's standard toolset (Write, Edit, Bash).
- Sanitization: Absent. Historical text is extracted and presented to the agent exactly as it appeared in previous sessions, allowing for the potential 're-play' of malicious instructions if the past session was compromised.
- [COMMAND_EXECUTION]: The skill executes local commands to retrieve system and workspace state.
- The skill runs a bundled Python script
scripts/extract_resume_context.pyto process local session files. - The script invokes
git branch,git status, andgit logviasubprocess.runto provide the agent with current workspace context.
Audit Metadata