context-management
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill extracts content from conversation history and re-injects it into the agent context during "rehydration" without sanitization or boundary markers. Ingestion point: 'conversation_data' in 'snapshot' action (orchestrator.py). Boundary markers: Absent. Uses Markdown headers which are easily subverted by malicious content. Capability inventory: The agent typically has file write and command execution permissions. Restoration of untrusted content into the prompt allows an attacker to hijack agent behavior. Sanitization: Absent in 'context_rehydrator.py'.
- [Path Traversal] (MEDIUM): The 'snapshot_id' parameter in the 'rehydrate' action is used to construct file paths without validation, allowing unauthorized reading of any '.json' file on the filesystem. Ingestion point: 'snapshot_id' parameter in 'rehydrate' action (orchestrator.py). Evidence: 'ContextRehydrator.get_snapshot_path' in 'context_rehydrator.py' performs insecure path concatenation: 'self.snapshot_dir / f"{snapshot_id}.json"'.
- [Missing Source Files] (LOW): Several critical files referenced in code and tests ('context_extractor.py', 'automation.py', 'post_tool_use.py') are missing from the provided package, preventing a complete security audit of the extraction and automation logic.
Recommendations
- AI detected serious security threats
Audit Metadata