session-deep-dive
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PRIVILEGE_ESCALATION]: The skill spawns subagents using the 'bypassPermissions' mode, which allows the AI to perform actions without typical user consent or confirmation prompts.\n
- Evidence: 'Task(subagent_type="general-purpose", model="haiku", mode="bypassPermissions", prompt="..."' in SKILL.md.\n- [COMMAND_EXECUTION]: The skill uses Python to dynamically update a local metrics file using string interpolation, which could lead to command injection if variables are not properly handled.\n
- Evidence: 'python3 -c "import json; ids = {SESSION_IDS_SET} ..."' in Step 7 of SKILL.md.\n- [EXTERNAL_DOWNLOADS]: The skill requires a third-party tool (ccrider MCP) from an untrusted GitHub repository, which could lead to the execution of unverified code if the user installs it.\n
- Evidence: 'Requires ccrider MCP. See: https://github.com/neilberkman/ccrider' in SKILL.md.\n- [PROMPT_INJECTION]: The skill processes session transcripts through subagents. This creates a surface for indirect prompt injection where malicious instructions embedded in a session transcript could influence the behavior of the subagents or the main agent.\n
- Ingestion points: 'mcp__ccrider__get_session_messages(session_id: "{SESSION_ID}")' in SKILL.md.\n
- Boundary markers: None present in the prompts to delimit untrusted transcript data.\n
- Capability inventory: File writing, subagent spawning, and Python execution via 'python3 -c'.\n
- Sanitization: No sanitization or validation of transcript content is performed before processing.
Recommendations
- AI detected serious security threats
Audit Metadata