cross-source-fact-verification
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Data Exposure & Exfiltration (HIGH): The skill explicitly targets sensitive local directories for data extraction, including
~/.claude/projects/*/and~/.claude/skills/learned/. These paths contain internal state, session history, and metadata about the AI agent's operations and user interactions. Accessing these logs constitutes an unauthorized exposure of private interaction history. - Command Execution (MEDIUM): The instructions require the agent to execute system-level commands such as
git log,ls -la, andstatto gather evidence. While these are standard tools, using them to audit sensitive internal application paths increases the risk of unintended information disclosure. - Indirect Prompt Injection (MEDIUM): The skill's primary function is to ingest and process data from external or untrusted sources (drafts, external articles, and logs) to construct a 'verified timeline'.
- Ingestion points:
drafts/*.md,articles/*.md, and internal system logs in~/.claude/. - Boundary markers: None. The skill does not implement delimiters or instructions to ignore embedded commands within the files being verified.
- Capability inventory: File system read access, system command execution (
git,ls,stat). - Sanitization: None. The skill assumes 'Debug logs' are a source of truth, which could be problematic if those logs contain malicious instructions from previous sessions.
- Metadata Poisoning (LOW): The skill author and extraction dates are hardcoded in the metadata, but do not appear to contain malicious instructions.
Recommendations
- AI detected serious security threats
Audit Metadata