rrr
Warn
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses the directory
~/.claude/projects/, which contains sensitive agent session history and session log files. This data is read to detect session IDs and reconstruct activity timelines. - [REMOTE_CODE_EXECUTION]: In
SKILL.md, the--digfunctionality executes a local Python script at~/.claude/skills/dig/scripts/dig.py. This script is external to the skill's package, and its contents are not provided for verification. - [COMMAND_EXECUTION]: The skill makes extensive use of shell commands including
git log,git diff,ls, andsedto extract project state and session metadata for processing. It also performs file system operations likemkdirandgit committo persist retrospective logs. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8).
- Ingestion points: Git history (logs, diffs) and internal session logs (
~/.claude/projects/*.jsonl) are ingested into the agent context. - Boundary markers: No specific delimiters or instructions to ignore embedded commands are used when interpolating this external data into templates or subagent prompts.
- Capability inventory: The skill can write files to the filesystem (
Έ/memory/), spawn multiple parallel subagents (Tasktool,TeamCreate), and call theoracle_learntool to update a shared memory state. - Sanitization: No sanitization or filtering of the ingested git or session data is performed before it is processed or used to influence agent behavior.
Audit Metadata