meta-packager

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes shell commands like find, tail, and sqlite3 to scan the filesystem and query session databases for relevant patterns.
  • [DATA_EXFILTRATION]: The skill accesses sensitive local directories including ~/.codex and ~/.agents, which contain user history and memory. This constitutes data exposure of private interaction logs.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes historical activity that could contain malicious instructions.
  • Ingestion points: Files like history.jsonl, memories/, and session_index.jsonl are read to identify patterns.
  • Boundary markers: There are no instructions or markers to distinguish between legitimate history and embedded malicious commands in the analyzed data.
  • Capability inventory: The skill has the ability to write and update executable skill files and automations on the local disk.
  • Sanitization: There is no sanitization logic to verify that identified patterns are safe before they are packaged into new persistent assets.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 11:09 AM
Security Audit — agent-trust-hub — meta-packager