done
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various system commands including
git diff,git log, andopento reconstruct session history and open generated visual reports. - [DYNAMIC_EXECUTION]: The skill automatically generates and writes Python and Bash scripts to
~/.claude/hooks/. This allows for the creation of executable content based on session summaries, which can be risky if the input data is influenced by malicious content. - [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from session context, git logs, and diffs to determine what artifacts to create.
- Ingestion points:
git diff,git log, and conversation context. - Boundary markers: None specified to distinguish between developer intent and data content within the logs.
- Capability inventory: Writing
.shand.pyhooks, modifyingsettings.json, and executing system commands. - Sanitization: No explicit sanitization of session data is performed before it is used to generate configuration or scripts.
- [DATA_EXPOSURE]: The skill reads and modifies sensitive agent configuration and memory files located in
~/.claude/, includingsettings.json,agents/, andskills/directories.
Audit Metadata