session-history
Warn
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Unsanitized shell command construction using user-controlled variables.
- The skill instructs the agent to build file paths using a
{target_date}extracted from user input and a{project_name}derived from the working directory name. - These variables are used in the command
mkdir -p ~/history/{target_date}/{project_name}/without instructions for escaping or sanitization, which allows for command injection if the input contains shell metacharacters (e.g.,;,&, or backticks). - [COMMAND_EXECUTION]: Vulnerable shell command execution for index management.
- In
references/index-management.md, the agent is instructed to rungrep "\"project\":\"$PROJECT_NAME\"" ~/history/index.jsonl. - Maliciously named project directories can exploit this command to execute arbitrary shell code via the interpolated
$PROJECT_NAMEvariable. - [PROMPT_INJECTION]: Indirect prompt injection vulnerability surface.
- Ingestion points: The skill reads the session conversation transcript to perform summarization as defined in SKILL.md.
- Boundary markers: No explicit delimiters or instructions to ignore embedded instructions are provided for the conversation content.
- Capability inventory: The skill utilizes file system writes and shell command execution (mkdir, grep, realpath, basename).
- Sanitization: No sanitization logic is implemented for the data processed from the conversation or the variables used in shell interpolation.
Audit Metadata