start-session
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted external data in the form of a file path provided via
$ARGUMENTSand explicitly instructs the agent to read and analyze its content. - Ingestion points:
$ARGUMENTSvariable, which accepts a 'file path' per the argument-hint. - Boundary markers: Absent. The skill does not provide delimiters or instructions to ignore potential commands embedded within the file content it reads.
- Capability inventory: The skill is granted
Read,Write, andGlobtool permissions. - Sanitization: Absent. There is no logic to restrict the file path to a specific directory or to validate that the file content does not contain malicious instructions.
- Data Exposure (HIGH): By allowing the
Readtool to be used on an arbitrary path provided by the user, the skill enables the extraction of sensitive local data (e.g.,~/.ssh/id_rsaor.envfiles) into the agent's context and potentially into the session logs stored in.claude/learning-sessions/. - Persistence Mechanisms (LOW): The skill systematically writes to
.claude/learning-sessions/index.jsonand creates new session files. While this is the intended functionality, it establishes a persistent footprint on the file system for every triggered session.
Recommendations
- AI detected serious security threats
Audit Metadata