context-agent
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it extracts data from untrusted session logs and inserts it into the agent's memory.
- Ingestion points:
scripts/session_parser.pyreads Claude Code.jsonlsession logs, andscripts/active_context.pyreadsACTIVE_CONTEXT.md. - Boundary markers: Absent. The skill uses standard Markdown headers but does not wrap extracted content in protective delimiters or include instructions for the LLM to ignore embedded commands.
- Capability inventory: The provided scripts do not contain dangerous capabilities such as
eval(),exec(), orsubprocesscalls. - Sanitization: Absent. Content is extracted via regular expressions (e.g., in
scripts/session_summary.py) without validation or escaping. Malicious input provided during a chat session could be saved as a 'decision' or 'task' and subsequently loaded into the system prompt of future sessions viaMEMORY.md.
Audit Metadata