Skills
skills/oakoss/agent-skills/agent-session-search/Gen Agent Trust Hub

agent-session-search

Fail

Audited by Gen Agent Trust Hub on Feb 24, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill recommends installing the 'cass' CLI tool using a curl | bash command targeting a script on a third-party GitHub repository (Dicklesworthstone/coding_agent_session_search). This executes unverified remote code with the privileges of the current user.
  • [EXTERNAL_DOWNLOADS]: The documentation indicates that the tool automatically downloads a machine learning model (MiniLM, ~23MB) from a remote server upon first use of its semantic search feature.
  • [COMMAND_EXECUTION]: The skill depends entirely on the execution of an external binary ('cass'). It also includes instructions to modify shell profile files (like .bashrc or .zshrc) to install shell completions, which constitutes persistent system modification.
  • [DATA_EXFILTRATION]: The tool accesses and indexes highly sensitive private data, including chat histories from Claude, Gemini, ChatGPT, Cursor, and Aider stored in locations like ~/.claude/projects and ~/Library/Application Support/Cursor/User/. The 'remote-sources' feature uses SSH and rsync to synchronize this data, creating a potential path for data exfiltration.
  • [DATA_EXFILTRATION]: The skill accesses the user's SSH configuration file (~/.ssh/config) to discover remote hosts for indexing, which is a high-sensitivity system file.
  • [PROMPT_INJECTION]: The skill serves as a search engine for agent conversation history, creating a surface for indirect prompt injection where malicious instructions stored in past logs could be retrieved and executed by the current agent. Ingestion points: Local chat history files from multiple agents. Boundary markers: None specified to separate search results from instructions. Capability inventory: The 'cass' binary can view files and sync data via SSH/rsync. Sanitization: No sanitization of the retrieved content is mentioned before it is presented to the agent.
  • [PROMPT_INJECTION]: The 'Forgiving Syntax' feature in Robot Mode uses Levenshtein distance to auto-correct agent commands, which could be manipulated to trigger unintended command execution.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 24, 2026, 08:36 PM