ruminate
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill reads from
~/.claude/projects/, a directory containing private conversation logs from previous Claude sessions. This sensitive information is then formatted and passed to other automated agents for processing. - [COMMAND_EXECUTION]: The skill executes multiple shell commands and scripts: it calls a dependency from the 'meditate' skill (
sh .agents/skills/meditate/scripts/snapshot.sh), runs its own Python extraction script (python3 .agents/skills/ruminate/scripts/extract-conversations.py), and deletes files usingrm -rf. - [PROMPT_INJECTION]: The skill processes historical conversation data which acts as an untrusted input source for indirect prompt injection. * Ingestion points: Conversation files are read from the
~/.claude/projects/directory. * Boundary markers: Messages are delimited with[USER]:and[ASSISTANT]:labels in the text extraction phase. * Capability inventory: The skill can execute shell commands, run Python scripts, and modify its own configuration (SKILL.md) or the user'sbrain/directory. * Sanitization: No filtering or sanitization of embedded instructions is performed on the historical message content.
Audit Metadata