ai-fluency
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill attempts to install a third-party package named 'cc-conversation-search' from PyPI or via 'uv'. This package is not from a recognized trusted vendor and its source code is not provided with the skill.
- Evidence: 'pip install --user cc-conversation-search' and 'uv tool install cc-conversation-search' in SKILL.md.
- [COMMAND_EXECUTION]: The skill executes several shell commands to manage the external tool and the generated report.
- Evidence: Executes 'cc-conversation-search init', 'cc-conversation-search list', and 'open ~/Desktop/ai-fluency-report.html'.
- [DATA_EXFILTRATION]: The skill reads and processes the user's local Claude Code conversation history. While the analysis is intended to be local, it accesses sensitive personal data stored in JSONL files and writes a summary report to a public location on the user's filesystem (~/Desktop).
- Evidence: Reading JSONL files from the conversation index and writing 'ai-fluency-report.html' to the desktop.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted text from past conversations and passes it to sub-agents for analysis without sanitization.
- Ingestion points: JSONL files containing conversation history.
- Boundary markers: Absent; the skill extracts human messages but does not wrap them in protective delimiters for the sub-agent prompts.
- Capability inventory: Sub-agents have 'Read' access to the filesystem; the main agent has 'Bash' and 'Write' capabilities.
- Sanitization: None; raw message content is interpolated into analysis tasks.
Audit Metadata