mining-session-skills

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill accesses sensitive local files including session transcripts and project metadata located in ~/.claude/. While no network activity was detected in the provided files, the instructions explicitly acknowledge that transcripts may contain private information, file contents, and secrets, which are ingested into the agent context for processing.- [PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection because it processes untrusted data from exported markdown transcripts.
  • Ingestion points: It reads transcript files via scripts/extract_session_signals.py from ~/.claude/session-markdown/.
  • Boundary markers: The parsing logic isolates human prompts but lacks security delimiters or explicit instructions for the agent to ignore potentially malicious commands embedded within the session content.
  • Capability inventory: The skill allows for the creation of new SKILL.md files and execution of local shell scripts, which could be abused if the mining process is compromised.
  • Sanitization: No validation or escaping is applied to the extracted transcript text before it is evaluated by the logic gates.- [COMMAND_EXECUTION]: The skill workflow relies on executing local shell scripts. It explicitly instructs the agent to run scripts/sync-marketplace-skills.sh during the skill creation process. Additionally, the test suite scripts/test_extract_session_signals.py utilizes subprocess.check_output to execute Python scripts internally.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 12:06 PM
Security Audit — agent-trust-hub — mining-session-skills