session-memory
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill executes several bash commands (
cat,ls,jq,git) to retrieve agent state and session history. These operations are performed on local, hardcoded paths within the.claude/directory. - PROMPT_INJECTION (LOW): Indirect prompt injection vulnerability surface detected via the session memory processing loop.
- Ingestion points: The file
.claude/homunculus/observations.jsonlis checked for content and subsequently processed by a background sub-agent. - Boundary markers: Absent. There are no delimiters or explicit instructions to the sub-agent to ignore instructions embedded within the observation data.
- Capability inventory: The skill has the ability to spawn background sub-agents and execute arbitrary shell commands.
- Sanitization: Absent. Data from previous sessions is loaded and processed directly, which could lead to re-injection of malicious instructions if the agent previously recorded untrusted input.
Audit Metadata