trace
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute bash commands in
SKILL.mdusing unvalidated user inputs for[query],[url], and[path]. Commands such asghq get -u "$URL",find ... -name "*[query]*", andgrep -r "[query]"are vulnerable to command injection if a user or an indirect source provides values containing shell metacharacters like backticks or subshell expansions. - [DATA_EXFILTRATION]: The
scripts/dig.pyscript reads Claude Code session logs (.jsonlfiles) from thePROJECT_DIRSenvironment path. These logs contain the full history of interactions, which may include sensitive code, business logic, or credentials discussed in previous sessions. The skill then distills this data into trace logs that are intended to be committed to version control. - [EXTERNAL_DOWNLOADS]: The skill uses the
ghqtool to clone repositories from arbitrary external URLs provided by the user in the[url]parameter. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection due to the ingestion of untrusted data from git logs, repository files, and GitHub issues/PRs. Ingestion points: Git history, remote repository files, session logs, and GitHub issue/PR descriptions. Boundary markers: None; search results are compiled into a trace log without delimiters or warnings. Capability inventory: Filesystem writes to
ψ/memory/traces/, shell execution offind,grep,git, andgh, and tool calls toarra_trace. Sanitization: None; the skill interpolates raw external content into agent prompts and markdown files.
Audit Metadata