worklog-report
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it summarizes external content from git history and tool sessions.\n
- Ingestion points: The script
scripts/collect.pyreads commit messages and prompt strings from Claude Code and Cursor session databases.\n - Boundary markers: There are no explicit delimiters in the prompt template in
SKILL.mdto distinguish untrusted content from instructions.\n - Capability inventory: The skill uses
subprocess.runto execute git and can read files from the home directory.\n - Sanitization: Raw data is processed directly for summarization without filtering or escaping.\n- [DATA_EXFILTRATION]: The skill accesses local application data which contains sensitive interaction history.\n
- Evidence: It reads from
~/.claude/projectsand~/Library/Application Support/Cursor/User/workspaceStorageto extract session metadata and first prompts.\n- [COMMAND_EXECUTION]: The skill executes local shell commands to gather data.\n - Evidence: It uses
subprocess.runto callgit logon repositories in the workspace. Additionally, the bash command inSKILL.mdinterpolates environment variables likeGIT_AUTHORwhich could lead to command substitution if those variables contain malicious sequences.
Audit Metadata