session-intelligence-harvester
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to analyze session history and update permanent instruction files like
CLAUDE.mdand various agent files. This creates a risk of Indirect Prompt Injection. - Ingestion points: The skill ingests the entire session history (
SKILL.md, Step 1) to extract 'learnings'. - Boundary markers: The skill does not define boundary markers or validation logic to ensure that extracted learnings do not contain malicious instructions meant to override agent safety or logic.
- Capability inventory: The skill utilizes file system
Edittools and GitCommitoperations to persist changes across the project infrastructure. - Sanitization: There is no evidence of content sanitization or safety filtering before session data is written into core system-level files.
- [DATA_EXFILTRATION]: The workflow includes a 'Commit' step (Step 6) that persists session-derived data into the version control history. If a session accidentally includes sensitive information, this skill could inadvertently capture and commit that data to the repository, making it part of the permanent project history and potentially syncing it to remote Git hosting providers.
- [PROMPT_INJECTION]: The 'Default to action' instruction in Step 4 explicitly directs the agent to implement updates rather than just proposing them. This 'action-first' bias reduces the likelihood of human review before sensitive system instructions are modified, which could be exploited to persist a temporary injection into the permanent instruction set.
Audit Metadata