copilot-history-ingest

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes shell commands to survey and process local data. Evidence includes using ls to find session directories and sqlite3 to query session-store.db for turns and checkpoints.
  • [SAFE]: The skill accesses local configuration files (.env, ~/.obsidian-wiki/config) and sensitive application logs (~/.copilot/session-state) which is consistent with its primary purpose of knowledge ingestion.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted chat logs from GitHub Copilot.
  • Ingestion points: Reads turns, user messages, and assistant responses from events.jsonl, session-store.db, and transcript JSONL files.
  • Boundary markers: No explicit delimiters or instruction-ignore warnings are specified for the log content.
  • Capability inventory: Executing shell commands (ls, sqlite3) and writing to the Obsidian vault.
  • Sanitization: The instructions recommend skipping reasoning fields and secrets but do not provide specific sanitization logic for the extracted content.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 12:14 AM
Security Audit — agent-trust-hub — copilot-history-ingest