oracle
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The script
scripts/analyze_history.pyis designed to access the sensitive path~/.claude/projects/. This directory stores full conversation logs from Claude Code, which often contain proprietary information, project logic, and potentially credentials or secrets discussed during development sessions.\n- [COMMAND_EXECUTION]: Thescripts/analyze_patterns.pyscript identifies repeated activities in session logs and dynamically generates bash scripts in the.oracle/scripts/directory. These scripts are automatically made executable usingchmod +x. This provides a direct path for command execution if malicious patterns are introduced into the logs.\n- [PROMPT_INJECTION]: The skill architecture creates an indirect prompt injection vulnerability by ingesting data from past sessions and injecting it into current prompts.\n - Ingestion points: Mined history from
~/.claude/projects/and session logs in.oracle/sessions/.\n - Boundary markers: None identified in the context generation logic.\n
- Capability inventory: Execution of shell scripts and git commands via subprocess.\n
- Sanitization: Lacks sanitization for the natural language content extracted from history before injection into the prompt.\n- [REMOTE_CODE_EXECUTION]: The combination of mining untrusted conversation history and using it to generate executable scripts creates a surface for code execution. Content encountered by the analyzer during history mining could potentially influence the generation of malicious scripts.
Recommendations
- AI detected serious security threats
Audit Metadata