starter-session-audit
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXPOSURE]: The skill accesses the user's global configuration file located at
~/.claude/CLAUDE.md. While this is a sensitive path containing global instructions, the access is consistent with the skill's stated purpose of session persistence management and there are no network tools available in theallowed-toolslist to facilitate exfiltration. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted user input from conversation history to generate persistent rules for the agent. This creates a surface for indirect prompt injection where malicious instructions in a chat could be 'learned' and written to permanent configuration files.
- Ingestion points: Full conversation history is scanned in Step 2.
- Boundary markers: None defined for the scanned conversation content.
- Capability inventory: Uses
EditandWritetools to modify instruction files likeCLAUDE.mdand.claude/rules/*.md. - Sanitization: No automated sanitization is present, but the skill implements a mandatory 'Human-in-the-loop' approval step (Step 5 and Step 6) where the user must review and approve every finding before it is saved, mitigating the risk of automated injection.
- [CREDENTIALS_SAFEGUARD]: The skill includes an explicit 'Hard Rule' to detect and refuse the storage of secrets, tokens, or API keys, recommending the use of environment variables instead.
Audit Metadata