clone
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill dynamically locates and executes an external shell script (
clone-conversation.sh) from the user's home directory. Because the script's contents are not part of the skill, it represents an unverifiable dependency that could perform arbitrary actions on the system. - [DATA_EXFILTRATION] (HIGH): The skill reads
~/.claude/history.jsonl, which contains private conversation history, session IDs, and project paths. Accessing these files exposes internal application state and user activity to the AI agent. - [INDIRECT_PROMPT_INJECTION] (MEDIUM): The skill processes untrusted data from the history log and passes it as arguments to a shell command without sanitization. If a project name or session ID contains shell metacharacters, it could trigger unexpected command execution.
- Ingestion points:
~/.claude/history.jsonl(File access viatailandjq) - Boundary markers: None. Data is interpolated directly into a shell command string.
- Capability inventory: Filesystem read (
tail), search (find), and execution of local shell scripts. - Sanitization: None. The skill relies on
jqto extract strings but does not escape them for shell safety before execution.
Recommendations
- AI detected serious security threats
Audit Metadata