Skills
skills/boshu2/agentops/cass/Gen Agent Trust Hub

cass

Warn

Audited by Gen Agent Trust Hub on Jun 20, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes the external cass binary and several included shell and Python scripts.
  • Evidence found in SKILL.md and the scripts/ directory (e.g., scripts/recover.sh, scripts/prompt_miner.py).
  • [COMMAND_EXECUTION]: Provides functionality for multi-machine search using ssh and rsync to execute queries and sync data from remote hosts.
  • Detailed in references/REMOTE_SOURCES.md and implemented in scripts/multi_machine_search.sh.
  • [EXTERNAL_DOWNLOADS]: Documents a dependency on an external cass binary and supports downloading model bundles from HuggingFace via the cass models install command.
  • [PROMPT_INJECTION]: Presents an indirect prompt injection surface as the agent is instructed to ingest and process untrusted historical conversation data from session logs.
  • Ingestion points: Reads .jsonl session files from Claude Code, Codex, and Gemini CLI directories (e.g., ~/.claude/projects/) as described in SKILL.md and references/SESSION_FORMATS.md.
  • Boundary markers: Instructions emphasize structured extraction using jq and line-number filtering to isolate user prompts.
  • Capability inventory: Extensive file system read access for session logs, shell execution for tool commands, and network connectivity via ssh.
  • Sanitization: Uses jq for parsing structured JSONL data to reduce risks associated with raw text ingestion.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 20, 2026, 08:28 AM
Security Audit — agent-trust-hub — cass