meditate
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local shell script
scripts/snapshot.shto recursively find and aggregate markdown files from the project structure into temporary files in/tmp/. - [COMMAND_EXECUTION]: The 'Apply changes' step (Step 6) grants the agent the authority to perform destructive operations on the filesystem, including deleting 'low-value' or 'redundant' notes and rewriting the core project instruction file (
CLAUDE.md). - [DATA_EXFILTRATION]: The skill accesses and reads highly sensitive agent state from the internal auto-memory directory located at
~/.claude/projects/<project>/memory/. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted markdown content from the 'brain' vault which then influences subagent decisions regarding which files to delete or modify.
- Ingestion points: Reads all files in
brain/and.agents/skills/via the snapshotting script. - Boundary markers: Files in the snapshot are delimited with path headers, but the subagent prompts in
references/agents.mdlack explicit instructions to disregard any embedded commands or instructions found within the audited notes. - Capability inventory: The skill has broad capabilities to delete files, merge content, and rewrite critical project configuration files (
CLAUDE.md). - Sanitization: No sanitization or safety filtering is performed on the content of the notes before they are passed to the subagents for analysis.
Audit Metadata