agent-history
Pass
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use a local CLI tool named
ochistto perform its primary functions, including listing sessions, searching content via grep, and retrieving message parts. This involves executing shell commands with various flags and arguments. - [PROMPT_INJECTION]: The skill is a surface for indirect prompt injection because it ingests conversation history from previous sessions. If those past sessions contained untrusted content or malicious instructions that were logged, re-reading that content via
ochist partorochist grepcould cause the agent to follow instructions embedded within the historical data. - Ingestion points: Data enters the agent's context through commands like
ochist part <part_id>andochist show <session> --full. - Boundary markers: No explicit boundary markers or XML tags are suggested to wrap the historical content to prevent it from being interpreted as instructions.
- Capability inventory: The agent can use the output of history retrieval to inform decisions and potentially trigger other tools available in its environment.
- Sanitization: The skill does not describe any sanitization or filtering of the historical text before it is processed by the agent.
Audit Metadata