starter-session-audit

Pass

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: SAFE
Full Analysis
  • [DATA_EXPOSURE]: The skill accesses the user's global configuration file located at ~/.claude/CLAUDE.md. While this is a sensitive path containing global instructions, the access is consistent with the skill's stated purpose of session persistence management and there are no network tools available in the allowed-tools list to facilitate exfiltration.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted user input from conversation history to generate persistent rules for the agent. This creates a surface for indirect prompt injection where malicious instructions in a chat could be 'learned' and written to permanent configuration files.
  • Ingestion points: Full conversation history is scanned in Step 2.
  • Boundary markers: None defined for the scanned conversation content.
  • Capability inventory: Uses Edit and Write tools to modify instruction files like CLAUDE.md and .claude/rules/*.md.
  • Sanitization: No automated sanitization is present, but the skill implements a mandatory 'Human-in-the-loop' approval step (Step 5 and Step 6) where the user must review and approve every finding before it is saved, mitigating the risk of automated injection.
  • [CREDENTIALS_SAFEGUARD]: The skill includes an explicit 'Hard Rule' to detect and refuse the storage of secrets, tokens, or API keys, recommending the use of environment variables instead.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 14, 2026, 04:50 PM
Security Audit — agent-trust-hub — starter-session-audit