trellis-session-insight
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Accesses sensitive local directory paths containing private AI conversation logs.
- Evidence:
~/.claude/projects/,~/.codex/sessions/, and~/.pi/agent/sessions/are explicitly targeted for indexing and reading inSKILL.md. - [COMMAND_EXECUTION]: Executes shell commands via the
trellisCLI tool with parameters derived from user input or search keywords. - Evidence: Calls to
trellis mem search,trellis mem extract, andtrellis mem contextare documented inSKILL.mdandreferences/cli-quick-reference.md. - [PROMPT_INJECTION]: Susceptible to indirect prompt injection through the ingestion of untrusted dialogue history.
- Ingestion points: Dialogue is retrieved via
trellis mem extractandtrellis mem search(SKILL.md). - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present in the provided skill files.
- Capability inventory: The skill enables the agent to execute local CLI commands and modify project files (PRDs, design docs) based on retrieved context.
- Sanitization: No evidence of data sanitization or escaping of the retrieved dialogue history before processing by the agent.
Audit Metadata