part3-wrap
Fail
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill instructs the agent to access and analyze sensitive session history files stored in
~/.claude/projects/. These logs encompass the full history of interactions with the agent, which often contains private source code, internal configuration details, and potentially exposed credentials or tokens from previous sessions. - [REMOTE_CODE_EXECUTION]: In Block 1, the skill directs the agent to dynamically generate a new executable skill file (
.claude/skills/my-session-wrap/SKILL.md) and subsequently execute it. Runtime script generation and execution bypass static analysis and allow for the introduction of arbitrary commands. - [PROMPT_INJECTION]: The skill processes session history logs, which are treated as untrusted data that could contain malicious instructions from previous contexts (Indirect Prompt Injection).
- Ingestion points: Session log files located in the
~/.claude/projects/directory. - Boundary markers: The skill does not implement delimiters or specific instructions to the agent to disregard commands embedded within the historic logs.
- Capability inventory: The agent has the capability to execute shell commands, read/write files, and install packages.
- Sanitization: There is no evidence of filtering, escaping, or sanitizing the data extracted from the session history before it is processed by the agent.
- [COMMAND_EXECUTION]: The documentation explicitly encourages the user to have the agent install the
jqsystem package if it is not already present, demonstrating the ability to modify the host system's environment.
Recommendations
- AI detected serious security threats
Audit Metadata