meta-promote

Warn

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill accesses highly sensitive local files including ~/.zsh_history, ~/.bash_history, and ~/.claude/history.jsonl. Shell history files frequently contain sensitive information such as plain-text passwords, API keys, and environment variables. Chat history files contain the full record of private interactions which may include sensitive personal or professional data.- [COMMAND_EXECUTION]: The skill generates and writes persistent executable content to the filesystem. It is designed to create hooks.json files containing shell commands and SKILL.md files that define future agent behavior. Although creation is gated by user approval, this functionality allows for the introduction of new executable logic into the agent's environment.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It processes data from historical logs and shell histories without using boundary markers or sanitization techniques. This could allow malicious instructions embedded in previous chat sessions or shell comments to be 'promoted' into trusted, persistent skills or automated hooks.
  • Ingestion points: ~/.claude/history.jsonl, ~/.zsh_history, ~/.bash_history, and session logs.
  • Boundary markers: None identified in the instruction set for handling ingested data.
  • Capability inventory: File writing to skill directories (~/.claude/skills/, .claude/skills/) and hook configuration files.
  • Sanitization: The skill does not perform escaping or validation of the ingested historical content before proposing it for asset creation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 13, 2026, 11:35 AM
Security Audit — agent-trust-hub — meta-promote