context-guardian
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute Python scripts using hardcoded absolute file paths (e.g.,
C:\Users\renat\skills\context-guardian\scripts\context_snapshot.py). This establishes a dependency on a specific filesystem structure and user profile environment. - [DATA_EXFILTRATION]: The skill accesses and modifies internal agent state files, specifically the
MEMORY.mdfile located within the.claudeproject configuration directory. While used for the intended purpose of context preservation, this demonstrates the capability to modify the agent's long-term persistent state. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its data processing workflow. It extracts information from arbitrary conversation history and persists it into snapshot files and memory.
- Ingestion points: The skill parses the entire conversation stream to extract technical decisions, bug fixes, and progress states (defined in
references/extraction-protocol.md). - Boundary markers: The protocol lacks explicit instructions to sanitize or ignore executable instructions that may be embedded within the extracted text.
- Capability inventory: The skill possesses file-write capabilities (
context_snapshot.py) and command execution capabilities (instructing the agent to runpythonand shell commands). - Sanitization: No sanitization or escaping of the extracted conversation data is performed before it is written to the filesystem, meaning malicious data from the conversation could be 'smuggled' into persistent memory files.
Audit Metadata