context-doctor
Warn
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Accesses local session transcripts and history files at '~/.claude/projects/**/.jsonl' to analyze tool usage. These files are sensitive application data and may contain private information, code snippets, or credentials from past interactions.
- [COMMAND_EXECUTION]: Instructs the agent to modify the local file system by moving or deleting skill files, rules, and subagents to reduce context bloat. It also suggests modifying configuration flags that control how the agent loads tools and skills.
- [PROMPT_INJECTION]: Employs role-playing instructions ('You are the instrument') to encourage the agent to audit its own internal context and system prompt, which is a common pattern for prompt extraction.
- [PROMPT_INJECTION]: Exhibits a surface for indirect prompt injection by reading untrusted data from external sources like session logs and project documentation files (CLAUDE.md, AGENTS.md) and using that data to drive file system modifications. Ingestion points: Reads transcripts in jsonl format and project configuration markdown files. Boundary markers: No delimiters or safety instructions provided when reading external files. Capability inventory: Supports file deletion, movement, and configuration modification. Sanitization: No content validation or sanitization is mentioned for the ingested data.
Audit Metadata