skill-retro

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local Node.js script (preprocess.mjs) to clean session logs and uses the rm command to delete temporary transcript files. These operations are restricted to internal Claude Code data directories.- [PROMPT_INJECTION]: The skill features an indirect prompt injection surface by processing session transcripts that could contain malicious instructions designed to influence the analysis sub-agent.\n
  • Ingestion points: Session log files (JSONL) located in ~/.claude/projects/, which are processed by scripts/preprocess.mjs.\n
  • Boundary markers: None; the references/analysis-prompt.md does not define specific delimiters or instructions for the sub-agent to ignore embedded commands within the transcript.\n
  • Capability inventory: The skill can modify other skills' source code via the skill-creator sub-agent and delete local files using rm.\n
  • Sanitization: The preprocessing script removes system-reminder tags but lacks sanitization for potential prompt injection payloads within the user or assistant messages.- [SAFE]: The skill's access to session data and its ability to modify code are consistent with its primary purpose as a development and optimization tool. All significant actions, including path resolution and code implementation, require explicit user approval, providing a robust defense against automated exploitation.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 07:57 AM
Security Audit — agent-trust-hub — skill-retro