wizard
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is configured to access sensitive file paths containing private user information.
- Evidence: In
SKILL.md, the 'Conversation History Search' section explicitly describes a strategy for reading JSONL files from~/.claude/projects/. This directory typically contains the full history of a user's interactions with the AI, which may include credentials, private keys, or proprietary information discussed in previous sessions. - Impact: Accessing these files exposes historical private data to the current agent session, creating a risk of accidental disclosure or exploitation if the agent is compromised by malicious instructions.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core functionality of reading and summarizing untrusted data.
- Ingestion points: The skill reads
SKILL.mdfiles,README.md,CONTRIBUTING.md, source code files, and conversation history. - Boundary markers: There are no technical delimiters or instructions implemented to prevent the agent from obeying instructions that might be embedded within the documentation it is tasked to audit or the history it is searching.
- Capability inventory: The skill possesses
WriteandEditpermissions, enabling it to modify any documentation file within the project directory. - Sanitization: The provided script
scripts/audit_docs.pyand the prompt templates inSKILL.mddo not include any logic to sanitize or escape content read from external files before it is processed by the LLM.
Audit Metadata