tokeneconomics
Warn
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes a local Python script using python3 and passes arguments derived from user input.\n
- Evidence:
SKILL.mdcontains the commandpython3 \"${CLAUDE_PLUGIN_ROOT}/scripts/tokeneconomics.py\" --days <N>.\n - Risk: The
<N>value is determined based on user requests (e.g., "last week"). If the agent does not validate that this input is a simple integer, an attacker could potentially inject additional shell commands or manipulate the script's behavior.\n- [DATA_EXFILTRATION]: The skill is designed to read and process local session logs.\n - Evidence: The skill's core purpose is to "Analyze Claude Code session logs" as stated in
SKILL.md.\n - Risk: Session logs contain the full history of interactions, which may include sensitive code, credentials, or personal data. While no network exfiltration code is present in the markdown files, the access to this data is a prerequisite for potential exfiltration.\n- [PROMPT_INJECTION]: The skill processes untrusted data from past sessions, creating a surface for indirect prompt injection.\n
- Ingestion points: Session logs parsed by the
tokeneconomics.pyscript.\n - Boundary markers: None identified in the workflow to separate log data from agent instructions.\n
- Capability inventory: Shell command execution via
python3(SKILL.md).\n - Sanitization: No sanitization or escaping of the log content is mentioned before it is displayed "inline" to the agent.\n
- Risk: Maliciously crafted content within a user's history could be interpreted as instructions when the agent processes the analysis report.
Audit Metadata