explanation-traces
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to run diagnostic and validation commands. Reference files such as "references/error-handling.md" and "references/preferred-patterns.md" provide snippets using "python3 -c", "grep", "find", and "rg" to check the integrity of JSON files and search for hook scripts. While these are local operations, they provide the agent with pre-written shell commands that interact with the file system.
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it reads and displays data from "session-trace.json", which is generated by other system components (hooks). If a hook were compromised or designed to include instructions in the trace's "evidence" or "context" fields, the agent might inadvertently execute or follow those instructions during the presentation phase.
- Ingestion points: Accesses "session-trace.json" and ".claude/session-trace.json" via the Read tool in Phase 1 and Phase 2.
- Boundary markers: None identified. The instructions do not direct the agent to wrap the ingested trace data in protective delimiters or "ignore previous instructions" markers during Phase 3 (Presentation).
- Capability inventory: The skill utilizes Bash, Read, Glob, and Grep tools, providing a surface for command execution if manipulated.
- Sanitization: There is no logic provided to sanitize or filter potential instructional text from the decision trace before it is formatted and presented to the user.
Audit Metadata