context-recovery
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands like
grepandcat(Step 4 and Step 6) with variables derived from external channel history (e.g.,<keyword>). This represents a command injection vulnerability as metacharacters in the messaging history could be used to execute arbitrary commands within the agent's environment.- [DATA_EXFILTRATION]: The skill accesses sensitive local files including session logs (~/.clawdbot-*/agents/*/sessions/*.jsonl) and memory files (~/clawd-*/memory/) using broad wildcard patterns. This data is then summarized and presented back to the user in the messaging channel (Discord, Slack, etc.). In a multi-user or public channel environment, this could lead to the unauthorized exposure of private session details from other agents or sessions.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. \n - Ingestion points: Messaging history retrieved via
message:read(SKILL.md Step 2). \n - Boundary markers: Absent; the skill processes raw message content into a synthesis summary. \n
- Capability inventory:
exec(shell, jq, grep),file_write(memory updates),network(messaging API). \n - Sanitization: Absent; the skill does not filter or escape content retrieved from external messaging platforms before using it in logic or summaries.
Audit Metadata