meta-packager
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands like
find,tail, andsqlite3to scan the filesystem and query session databases for relevant patterns. - [DATA_EXFILTRATION]: The skill accesses sensitive local directories including
~/.codexand~/.agents, which contain user history and memory. This constitutes data exposure of private interaction logs. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes historical activity that could contain malicious instructions.
- Ingestion points: Files like
history.jsonl,memories/, andsession_index.jsonlare read to identify patterns. - Boundary markers: There are no instructions or markers to distinguish between legitimate history and embedded malicious commands in the analyzed data.
- Capability inventory: The skill has the ability to write and update executable skill files and automations on the local disk.
- Sanitization: There is no sanitization logic to verify that identified patterns are safe before they are packaged into new persistent assets.
Audit Metadata