reflect
Warn
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill's primary mechanism involves ingesting untrusted transcript data (from transcripts.jsonl) to dynamically modify instruction files (SKILL.md) for the agent. This creates an indirect prompt injection surface where external inputs can permanently influence system behavior.
- [COMMAND_EXECUTION]: Multiple scripts utilize the subprocess module to execute Git commands for versioning and to call the 'claude' CLI for semantic analysis. The skill also registers a background 'Stop' hook (scripts/hook-stop.sh) for execution after sessions.
- [PROMPT_INJECTION]: Indirect Prompt Injection Analysis: (1) Ingestion Points: transcript.jsonl data enters via extract_signals.py. (2) Boundary Markers: None identified to delimit untrusted transcript data. (3) Capability Inventory: Script execution and file modification within ~/.claude/skills. (4) Sanitization: Validation is limited to YAML structural integrity rather than semantic safety.
Audit Metadata