ruminate
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses and reads sensitive conversation logs from hidden directories in the user's home folder. These files contain a history of user interactions which may include proprietary code, secrets, or personal information.\n
- Evidence: Accesses
~/.claude/projects/and~/.codex/sessions/to extract interaction data.\n- [COMMAND_EXECUTION]: The skill executes local scripts to perform snapshots and data extraction.\n - Evidence: Runs
sh .claude/skills/meditate/scripts/snapshot.shandpython3 scripts/extract-conversations.py.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and processes untrusted data from historical conversation logs.\n - Ingestion points: Conversation data is loaded from
.jsonlfiles in~/.claude/projects/and~/.codex/sessions/usingscripts/extract-conversations.py.\n - Boundary markers: The extraction script wraps message content in
[USER]:and[ASSISTANT]:labels, providing minimal structural separation.\n - Capability inventory: The skill has the ability to write to files in the
brain/directory, updateSKILL.mdfiles, and modifybrain/index.md.\n - Sanitization: The script truncates message length but does not sanitize or escape the content to prevent instructions within the logs from being interpreted as commands by the analysis agents.
Audit Metadata