context-recovery
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The protocol executes shell commands, including
grepandxargs, using keywords derived from external chat history. There is no evidence of sanitization or escaping for these keywords before they are interpolated into the commands. This creates a risk of command injection if a keyword contains shell metacharacters such as backticks or subshells.\n- [DATA_EXFILTRATION]: The skill accesses sensitive local directories, specifically~/.clawdbot-*/agents/*/sessionsand~/clawd-*/memory/. While this access is required for its primary function of context recovery, it exposes historical conversation logs and memory entries across all agent sessions to the active agent context.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its data ingestion points. \n - Ingestion points: It fetches untrusted content from external platforms via
message:readand reads local session logs.\n - Boundary markers: Recovered data is placed into a structured summary, but there are no explicit delimiters or instructions to ignore embedded commands within that data.\n
- Capability inventory: The skill has access to shell execution (
bash,jq,grep,cat) and network/tool operations (message:read).\n - Sanitization: There is no sanitization or filtering of the recovered text before it is presented to the LLM, allowing malicious instructions in the chat history to influence agent behavior.
Audit Metadata