new-chat-ready

Pass

Audited by Gen Agent Trust Hub on Jun 15, 2026

Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill is instructed to access and read sensitive historical conversation records located in ~/.codex/ and ~/.claude/. These paths contain historical session data, transcripts, and metadata which may contain PII or previously exposed secrets. While this access is the core function of the recovery feature, it involves handling sensitive user data.\n- [COMMAND_EXECUTION]: The skill utilizes system commands such as find, rg (ripgrep), and sqlite3 to locate, search, and query local log files and databases within the user's home directory to extract task state.\n- [PROMPT_INJECTION]: The 'Recovery Mode' creates a surface for indirect prompt injection by ingesting untrusted historical data from past conversation logs to extract facts for new sessions.\n
  • Ingestion points: Historical chat logs in ~/.codex/ and ~/.claude/ (JSONL and SQLite formats).\n
  • Boundary markers: The handoff template uses specific sections to separate Confirmed, Inferred, and Unknown facts, though no specific 'ignore previous instructions' markers are applied to the ingested content itself.\n
  • Capability inventory: The skill can update local project documentation (e.g., AGENTS.md, PROJECT_MEMORY.md), execute shell commands for log searching, and interact with platform thread-management tools (create_thread, send_message_to_thread).\n
  • Sanitization: The instructions explicitly direct the agent to skip staging or committing private data, and to avoid including secrets, tokens, or raw transcripts in the generated handoff packs.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 15, 2026, 01:59 AM
Security Audit — agent-trust-hub — new-chat-ready