skill-auditor
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive user session transcripts located in
~/.claude/projects/and skill definitions in~/.claude/skills/. This data is read locally to perform routing analysis, but the content is exposed to LLM sub-agents during the evaluation process. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the ingestion of untrusted session history.
- Ingestion points:
scripts/collect_transcripts.pyreads user session history files into the analysis workspace. - Boundary markers: Instructions for sub-agents lack explicit delimiters or specific warnings to ignore instructions embedded within the transcripts being analyzed.
- Capability inventory: The skill possesses the capability to modify local
SKILL.mdfiles viascripts/apply_patches.pyand can execute shell commands such asopenandpython3. - Sanitization: Session content is processed without evidence of sanitization or filtering before being passed to sub-agents.
- [COMMAND_EXECUTION]: The skill orchestrates several local Python scripts to manage data collection, analysis, and report generation. It also uses the
opencommand to launch the interactive HTML report in the user's browser. - [EXTERNAL_DOWNLOADS]: The skill recommends installing
tiktoken, a well-known Python library from a trusted organization (OpenAI) used for accurate token counting.
Audit Metadata