improve-skill
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive agent session logs located in the user's home directory:
~/.claude/projects/,~/.pi/agent/sessions/, and~/.codex/sessions/. These logs contain the complete history of user-agent interactions, which may include proprietary code, environment details, and personal data. While this access is central to the skill's purpose, it represents significant exposure of private local data. - [COMMAND_EXECUTION]: The skill executes a local Node.js script (
./scripts/extract-session.js) to locate, read, and parse session files. It also instructs the agent to write improved skill files back to the local file system. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8). It ingests untrusted data (past session transcripts) and asks the agent to analyze that data to generate new instructions or modify existing ones. If a processed transcript contains malicious instructions intended for the agent, the agent may inadvertently follow them during the 'improvement' or 'creation' phase.
- Ingestion points:
scripts/extract-session.jsreads and outputs content from session logs. - Boundary markers: The skill suggests using
<session_transcript>XML-style tags in the improvement prompt, which provides some structure but does not prevent determined injection. - Capability inventory: The agent has the capability to execute shell scripts, read session logs, and write markdown files to the local file system.
- Sanitization: No sanitization or filtering is performed on the transcript content before it is processed by the agent.
Audit Metadata