load-conversation
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The shell script
scripts/load.shexecutes platform-specific binaries (ch-load-*) from thebin/directory. These pre-compiled binaries are opaque and their source code is not provided for security auditing, which is a high-risk practice as they can perform unauthorized actions with the user's system permissions. - [COMMAND_EXECUTION]: The skill uses the
exec "$LOAD_BIN" "$@"pattern to run the selected binary with all arguments passed from the agent. This creates a direct execution path for parameters that may be derived from external user input. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection. Ingestion points: A conversation UUID is extracted from the user's request as defined in
SKILL.md. Boundary markers: The extracted UUID is enclosed in double quotes in the bash command template. Capability inventory: The skill executes local binaries and retrieves full message transcripts from a history database. Sanitization: No input validation or sanitization is performed on the arguments within the shell script; the skill relies entirely on the agent's ability to correctly extract a safe UUID string.
Recommendations
- AI detected serious security threats
Audit Metadata