weekly-report
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive local file paths containing private AI session history, specifically
~/.claude/history.jsonland~/.codex/history.jsonl. Although this data is used for summarizing work activity, these files contain raw conversation logs.\n- [COMMAND_EXECUTION]: The skill utilizes shell-based tools includinggitandlark-clito gather evidence. This grants the agent the capability to execute commands and interact with external APIs to retrieve user data.\n- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection through the processing of external data sources.\n - Ingestion points: Untrusted data is ingested from git commit history, Lark messages, Lark documents, and local markdown/PDF files.\n
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when processing the collected evidence.\n
- Capability inventory: The skill possesses the ability to read local files, execute shell commands (via git/lark-cli), and generate summaries that could be influenced by malicious content in the data.\n
- Sanitization: There is no evidence of sanitization or filtering of the ingested content to prevent malicious instructions from affecting the agent's behavior.
Audit Metadata