copilot-history-ingest
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands to survey and process local data. Evidence includes using
lsto find session directories andsqlite3to querysession-store.dbfor turns and checkpoints. - [SAFE]: The skill accesses local configuration files (
.env,~/.obsidian-wiki/config) and sensitive application logs (~/.copilot/session-state) which is consistent with its primary purpose of knowledge ingestion. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted chat logs from GitHub Copilot.
- Ingestion points: Reads turns, user messages, and assistant responses from
events.jsonl,session-store.db, and transcript JSONL files. - Boundary markers: No explicit delimiters or instruction-ignore warnings are specified for the log content.
- Capability inventory: Executing shell commands (
ls,sqlite3) and writing to the Obsidian vault. - Sanitization: The instructions recommend skipping reasoning fields and secrets but do not provide specific sanitization logic for the extracted content.
Audit Metadata