worklog
Fail
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs persistent modification of the agent's environment by installing a
UserPromptSubmithook. It executes shell commands to create the~/.claude/hooks/directory, copies a script into the user's home folder, and applies execution permissions (chmod +x). Furthermore, it programmatically parses and merges new configuration into the agent's primarysettings.jsonfile to ensure the script runs automatically in the background. - [DATA_EXFILTRATION]: The skill implements a background logging mechanism that captures all user prompts and saves them to
~/.claude/worklog/. While stored locally, this creates a centralized repository of potentially sensitive user data, including proprietary code, internal project details, and intent, which can be accessed or exfiltrated by other processes or skills without further user interaction. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes raw log files composed of previously captured user prompts.
- Ingestion points: Raw text entries are read from
~/.claude/worklog/YYYYMMDD.mdin Step 2. - Boundary markers: None. The skill does not utilize delimiters or specific instructions to ignore embedded commands within the log data.
- Capability inventory: The skill has access to file modification tools (
Edit,Write) and system commands (Bash), providing a significant attack surface if malicious instructions are processed from the logs. - Sanitization: None. The skill processes the raw logs directly into a prose summary, which could allow maliciously crafted prompts in the logs to influence the agent's behavior during the summarization or saving phase.
Recommendations
- AI detected serious security threats
Audit Metadata