meta-packager
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is instructed to read sensitive history and log files, specifically
~/.claude/history.jsonland session logs within~/.claude/projects. These files contain full records of previous conversations and interactions, which may include sensitive information, private data, or secrets accidentally shared by the user in past sessions. - [COMMAND_EXECUTION]: The workflow utilizes shell commands such as
tailandfindto programmatically inspect the user's local filesystem and history files. While these commands are used for their intended purpose of evidence collection, they facilitate the automated harvesting of sensitive user data. - [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection by ingesting untrusted data to generate new executable assets.
- Ingestion points: Conversation logs (
history.jsonl), session indices, and shell history are read from the local filesystem. - Boundary markers: The skill lacks explicit instructions to treat history content as untrusted or to ignore embedded instructions when parsing logs for pattern matching.
- Capability inventory: The skill has the capability to create and modify executable files (SKILL.md, hooks, subagents) and execute shell commands.
- Sanitization: No sanitization or validation logic is specified for the data extracted from history before it is used to generate the logic for new skills or automations.
Audit Metadata