agents-introspection
Warn
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructions and helper script access highly sensitive local directories containing agent session history:
~/.claude/projects/and~/.codex/sessions/. These transcripts serve as long-term logs of agent interactions and frequently contain sensitive information such as API keys, session tokens, and proprietary code discussed in previous sessions. - [COMMAND_EXECUTION]: The skill executes a local Python script
scripts/transcript-miner.pyusinguv. This script further performs shell execution by calling theripgrep(rg) utility to search through private directories in the user's home folder. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection risks. It processes data from historical transcripts which could contain malicious instructions or misleading data from external sources encountered in past sessions, potentially influencing the agent's current behavior or its recommendations for durable configuration fixes.
- Ingestion points: Historical transcript files located in
~/.claude/projects/and~/.codex/sessions/are processed and read into the agent's context. - Boundary markers: The skill lacks explicit prompt delimiters or "ignore instructions" warnings for the ingested transcript data, although it advises the agent to treat content as sensitive.
- Capability inventory: The skill has the capability to execute shell commands (via the miner script) and perform file writes/edits to critical project files including
AGENTS.mdand other skill definitions (SKILL.md). - Sanitization: The
transcript-miner.pyscript provides regex-based redaction for PII and common secret formats (e.g.,sk-,0x...), but the agent is permitted to view raw matching transcripts without these protections if determined necessary by the workflow.
Audit Metadata