ce-session-extract
Warn
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The execution logic defined in SKILL.md (e.g.,
cat <file> | python3 ...) accepts an unvalidated absolute file path as a positional argument. This pattern is vulnerable to arbitrary file access and could potentially be exploited for shell command injection if the path string is manipulated by a malicious agent or user. - [DATA_EXFILTRATION]: Because the skill facilitates reading any file accessible to the agent process via the
<file>argument, it can be used to expose sensitive information (such as credentials, configuration files, or environment variables) to the calling agent. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via the session logs it processes. Ingestion points: Data is read from JSONL session files provided via the
<file>argument. Boundary markers: No boundary markers or 'ignore' instructions are used to separate the input data from the processing logic. Capability inventory: The skill uses shell-level file access (cat) and returns a narrative summary to the caller, creating a trust chain risk. Sanitization: While theextract-skeleton.pyscript uses regex to strip framework tags, it does not sanitize the text for malicious natural language instructions.
Audit Metadata