skill-idea-miner
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill reads session logs from
~/.claude/projects/, which contain sensitive history of user messages and tool interactions. Evidence:scripts/mine_session_logs.pyiterates through and reads JSONL files in the user's local Claude projects directory. - [COMMAND_EXECUTION]: The skill uses
subprocess.runto call theclaudeCLI for idea extraction and scoring. Evidence:scripts/mine_session_logs.pyandscripts/score_ideas.pyboth execute theclaudecommand with user-derived content as input. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it interpolates untrusted user messages from session logs into prompts for the Claude CLI. Ingestion points:
scripts/mine_session_logs.pyparses message content from.jsonlfiles. Boundary markers: The prompt structure uses JSON formatting but lacks explicit security delimiters for raw log content. Capability inventory: The skill can execute local commands (claudeCLI) and write files to the system (raw_candidates.yaml,idea_backlog.yaml). Sanitization: Includes a filter for automated prompt prefixes (_is_automated_prompt) and uses structured JSON parsing (_extract_json_from_claude) for LLM output.
Audit Metadata