conversation-recap
Pass
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local shell script at
scripts/recap.shwhich in turn executes a binary namedch-recapusing a platform-provided resolution script. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it ingests and processes untrusted data from historical conversation logs.
- Ingestion points: Historical conversation transcripts are retrieved via the
recap.shcommand and then read by the agent to generate summaries (SKILL.md). - Boundary markers: The transcript output format uses specific delimiters like
=== Conversation ... ===and timestamp headers to structure the data, though these do not prevent the agent from following embedded instructions. - Capability inventory: The skill is intended for summarization and references another skill for loading detailed conversation logs based on the recap findings.
- Sanitization: There is no evidence that the content of the historical transcripts is sanitized, filtered, or escaped before being presented to the agent for processing.
Audit Metadata