agent-self-reflection

Warn

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill is specifically designed to locate and read sensitive local chat history files stored in hidden directories such as ~/.claude/projects/ and ~/.codex/sessions/. These transcripts can contain proprietary source code, hardcoded credentials, and private communication.
  • Evidence: references/transcript-sources.md provides detailed shell logic to search for project-specific transcripts in these locations.
  • [COMMAND_EXECUTION]: The skill utilizes shell utilities like rg (ripgrep) and jq to traverse and parse sensitive local data files. Furthermore, it explicitly instructs the agent to create or modify other skill files and scripts based on the patterns found in these transcripts.
  • Evidence: SKILL.md Step 6 ("Choose durable fixes") allows the agent to "Create a new skill", "Update an existing skill", or "Add a script".
  • [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by processing untrusted historical data (past transcripts) and using it to generate permanent project instructions. If a previous conversation was influenced by an attacker or contained malicious patterns, those could be codified into the project's durable instruction set (e.g., AGENTS.md).
  • Ingestion points: Local files in ~/.claude and ~/.codex (specified in references/transcript-sources.md).
  • Capability inventory: Shell command execution, local file reads, and file writes to create/update skills.
  • Sanitization: The skill requests redaction of secrets but lacks technical boundary markers or validation for the instructions extracted from transcripts.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 16, 2026, 06:47 AM
Security Audit — agent-trust-hub — agent-self-reflection