smart-session-start
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill contains instructions that explicitly direct the agent to override standard interaction protocols and bypass user consent, using phrases like 'DO NOT ask permission
- just activate automatically!' and 'MANDATORY at session start'. It also introduces a vulnerability to indirect prompt injection by ingesting data from uncontrolled sources (previous session history and workspace files) without explicit boundary markers or sanitization.
- Ingestion points: Historical session data accessed via
mcp__goldfish__recalland local filesystem content viamcp__julie__manage_workspaceindexing. - Boundary markers: Not specified; the skill does not use delimiters to isolate recalled context from instructions.
- Capability inventory: Includes workspace management, filesystem indexing, and workflow state modification.
- Sanitization: No verification or filtering logic is present for data retrieved from memory or the workspace.
- [DATA_EXFILTRATION]: The skill automatically accesses and processes potentially sensitive information, including git metadata, session checkpoints, and a full index of the workspace filesystem. While this is part of its core functionality for context restoration, the automated nature of the access without user confirmation increases the risk of unintended data exposure.
Audit Metadata