session-debrief
Warn
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to read session history files located in
~/.claude/projects/, which contain sensitive logs of user interactions, source code, and tool outputs. This information is transmitted to an external service (MiniMax API) for processing. - [CREDENTIALS_UNSAFE]: The skill explicitly accesses a secret file at
~/.claude/.secrets/ccterrybot-telegramto retrieve theMINIMAX_API_KEYfor authentication, exposing local credential storage practices. - [COMMAND_EXECUTION]: The skill uses the
Agenttool to execute shell commands viabunto run a local TypeScript script (session-debrief.ts) with arguments derived from user input. - [PROMPT_INJECTION]: Indirect Prompt Injection Surface:
- Ingestion points: Session histories are read from
~/.claude/projects/*.jsonl(SKILL.md). - Boundary markers: Absent; no delimiters or instructions to ignore embedded commands are used when processing logs.
- Capability inventory: The skill has access to the
Agenttool for shell execution andBashfor command running. - Sanitization: No sanitization or validation of the ingested session data is mentioned before it is processed or used in prompts.
- [COMMAND_EXECUTION]: The skill contains self-modifying instructions under the 'Self-Evolving Skill' header, directing the agent to immediately edit the
SKILL.mdfile to update its own instructions or practices based on runtime results.
Audit Metadata