lovstudio-auto-context
Warn
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses and reads from
~/.claude/CLAUDE.md. This is a global configuration file that contains authoritative instructions and settings for the agent. Accessing such sensitive paths is a security concern as it involves reading files outside the immediate project scope. - [COMMAND_EXECUTION]: The skill performs persistent file system modifications, including writing memory files to
~/.claude/projects/<project-slug>/memory/and editingCLAUDE.mdfiles in the global and local directories. These operations allow the skill to modify the agent's behavior and instructions permanently. - [PROMPT_INJECTION]: The skill implements a workflow that is vulnerable to indirect prompt injection:
- Ingestion points: The skill explicitly 'scans recent turns for unpersisted feedback/preferences' from the session transcript (SKILL.md).
- Boundary markers: There are no specified boundary markers or delimiters to isolate untrusted session data from the instructions being written to storage.
- Capability inventory: The skill has capabilities to write to global and project configuration files.
- Sanitization: There is no evidence of sanitization or filtering of the captured session data. This creates a risk where malicious instructions provided by an external source during a chat could be 'memorized' and turned into persistent system-level rules by the agent without the user realizing the source of the instruction.
Audit Metadata