load-conversation
Warn
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The instructions in SKILL.md direct the agent to construct a bash command by inserting a UUID extracted from user input into a shell execution template (
load.sh --id "CONVERSATION_UUID"). This pattern is vulnerable to command injection if a user provides an ID containing shell control characters (e.g., semicolons, backticks, or command substitution), potentially allowing the execution of arbitrary commands outside the skill's intended scope. - [PROMPT_INJECTION]: The skill ingests untrusted transcript data from a conversation history database and presents it to the agent without delimiters or instructions to ignore embedded commands. This creates an indirect prompt injection surface where malicious instructions stored in a previous conversation could hijack the agent's behavior when the history is loaded.
- Ingestion points: Conversation transcript data retrieved via scripts/load.sh and presented to the context in SKILL.md.
- Boundary markers: Absent from the instructions for displaying the transcript.
- Capability inventory: scripts/load.sh executes the ch-load binary which can access the conversation database.
- Sanitization: No sanitization or escaping of the retrieved transcript content is performed before it is presented to the agent.
Audit Metadata