xray
Warn
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions contain shell snippets that are highly vulnerable to command injection. Specifically, the
/xray memory read <name>and/xray memory forget <name>subcommands interpolate the user-provided<name>argument directly into a bash command (ls "$MEMORY_DIR"/*<name>*.md). An attacker could provide a name containing shell metacharacters (e.g.,;,|, or`) to execute arbitrary commands with the agent's privileges. - [DATA_EXFILTRATION]: The skill requests broad read access to the user's home directory, specifically targeting
~/.claude/projects/, which contains internal agent memory, auto-memory files, and session history. This allows for the exposure of sensitive development logs and historical project data. - [COMMAND_EXECUTION]: The skill utilizes a custom CLI tool
arra-oracle-skillsfor listing installed skills. While this appears to be a vendor-specific tool, the skill's instructions for gathering information involve executing this external binary, which could lead to unexpected behavior if the binary's integrity is not verified. - [COMMAND_EXECUTION]: The 'Forget' functionality performs file deletions on the local filesystem. Although the instructions state that confirmation is required, the underlying capability to programmatically remove files from the Claude configuration directory is a significant privilege.
Audit Metadata