trellis-session-insight

Warn

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: Accesses sensitive local directory paths containing private AI conversation logs.
  • Evidence: ~/.claude/projects/, ~/.codex/sessions/, and ~/.pi/agent/sessions/ are explicitly targeted for indexing and reading in SKILL.md.
  • [COMMAND_EXECUTION]: Executes shell commands via the trellis CLI tool with parameters derived from user input or search keywords.
  • Evidence: Calls to trellis mem search, trellis mem extract, and trellis mem context are documented in SKILL.md and references/cli-quick-reference.md.
  • [PROMPT_INJECTION]: Susceptible to indirect prompt injection through the ingestion of untrusted dialogue history.
  • Ingestion points: Dialogue is retrieved via trellis mem extract and trellis mem search (SKILL.md).
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present in the provided skill files.
  • Capability inventory: The skill enables the agent to execute local CLI commands and modify project files (PRDs, design docs) based on retrieved context.
  • Sanitization: No evidence of data sanitization or escaping of the retrieved dialogue history before processing by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 23, 2026, 06:16 PM
Security Audit — agent-trust-hub — trellis-session-insight