conversation-search
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/search.shdetects the user's platform and executes a corresponding pre-compiled binary (e.g.,ch-search-darwin-arm64). Since the source code for these binaries is not provided, their internal operations, such as file system access beyond the stated scope or network communications, cannot be verified. - [PROMPT_INJECTION]: The skill exposes the agent to indirect prompt injection by retrieving and processing historical conversation data.
- Ingestion points: The skill indexes conversation history located at
~/.claude/projects/. - Boundary markers: The prompt instructions do not specify any delimiters or safety markers to help the agent distinguish between search results and instructions.
- Capability inventory: The skill allows for the execution of arbitrary platform-specific binaries provided in the
bin/directory. - Sanitization: There is no evidence of content sanitization or instruction-stripping performed on the conversation snippets retrieved from the database.
Audit Metadata