breadcrumbs
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill creates a persistent vulnerability by ingesting data from the local file system and treating it as authoritative session history.\n
- Ingestion points:
.claude/breadcrumbs.mdand~/.claude/breadcrumbs/are read at session start (File: SKILL.md).\n - Boundary markers: The skill lacks explicit delimiters or instructions to ignore embedded commands within the breadcrumbs, making it susceptible to malicious instructions formatted as history.\n
- Capability inventory: The skill has
file: readandfile: writepermissions, and can execute shell commands, granting injected instructions significant reach.\n - Sanitization: No sanitization or validation of the file content is performed before it is summarized into the agent's context.\n- Data Exposure (LOW): The skill targets the user's home directory (
~/.claude/breadcrumbs/), which extends the agent's access beyond the project-specific directory and potentially exposes global user context to manipulation.\n- Command Execution (INFO): The skill utilizes shell commands (cat,echo) to manage its state. While used for benign purposes, this establishes the capability for command-line interaction.
Recommendations
- AI detected serious security threats
Audit Metadata