Skills
skills/dwsy/agent/improve-skill/Gen Agent Trust Hub

improve-skill

Warn

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The script scripts/extract-session.js accesses sensitive directories containing private user conversation history. Specifically, it targets:
  • ~/.claude/projects/ (Claude Code sessions)
  • ~/.pi/agent/sessions/ (Pi sessions)
  • ~/.codex/sessions/ (Codex sessions)
  • [COMMAND_EXECUTION]: The skill executes a local Node.js script that uses the fs module to perform directory traversal and read the contents of hidden application metadata folders in the user's home directory.
  • [PROMPT_INJECTION]: This skill presents a significant indirect prompt injection surface by processing untrusted data (session transcripts) and using it to generate executable instructions or documentation that is written back to the filesystem.
  • Ingestion points: scripts/extract-session.js reads .jsonl session files from local app data folders.
  • Boundary markers: None. The prompt templates in SKILL.md do not use delimiters or instructions to ignore embedded commands within the transcript.
  • Capability inventory: The skill instructs the agent to write files to disk, specifically SKILL.md files within ~/.codex/skills/, ~/.claude/skills/, and ~/.pi/agent/skills/.
  • Sanitization: There is no evidence of sanitization or validation of the transcript content before it is used to influence the writing of new skill files.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 4, 2026, 06:09 AM