context-graph
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): Multiple shell scripts perform operations using unsanitized variables, leading to potential Remote Code Execution (RCE).
scripts/store-trace.sh: Uses unquoted heredocs (<< EOF) to create JSON files. If the$DECISIONor$CATEGORYvariables contain shell command substitutions (e.g.,$(whoami)), the shell will execute them during the file creation process.scripts/apply-learning.sh: Similar tostore-trace.sh, it uses an unquoted heredoc to generate a learning summary, evaluating the$SESSIONvariable which can be manipulated via command-line arguments or the.claude/progress/state.jsonfile.scripts/compact-traces.sh: The$DAYS_OLDvariable is passed directly into afindcommand without validation. An attacker could provide a value like1 -exec <command> \;to execute arbitrary commands.scripts/query-traces.sh: The$SEARCHvariable is passed directly togrep, allowing for argument injection attacks.- [PROMPT_INJECTION] (LOW): The skill implements a 'Context Graph' that stores and retrieves decision traces. This creates a surface for Indirect Prompt Injection, where malicious instructions stored in past traces could influence the agent's behavior when retrieved in future sessions.
- Ingestion points:
scripts/store-trace.pyandscripts/store-trace.shaccept arbitrary text as decisions. - Boundary markers: Absent. The retrieved traces are presented to the agent as factual history without clear delimiters or warnings to ignore embedded instructions.
- Capability inventory: The skill allows file creation, file deletion (compaction), and network requests (to Voyage AI for embeddings).
- Sanitization: No sanitization or validation is performed on the 'decision' text before it is stored or retrieved.
Recommendations
- AI detected serious security threats
Audit Metadata