Skills
skills/vibeeval/vibecosystem/tldr-stats/Gen Agent Trust Hub

tldr-stats

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local Python script located at $CLAUDE_PROJECT_DIR/.claude/scripts/tldr_stats.py. This operation is used to aggregate and display session metrics such as token counts and cost estimates, which aligns with the skill's documented purpose.
  • [INDIRECT_PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it processes and displays output from an external script.
  • Ingestion points: Output from the command python3 $CLAUDE_PROJECT_DIR/.claude/scripts/tldr_stats.py is directly incorporated into the agent's response (SKILL.md).
  • Boundary markers: No specific delimiters or safety instructions are provided to the agent to treat the script output as untrusted data.
  • Capability inventory: The skill has the capability to execute shell commands via python3.
  • Sanitization: There is no evidence of output sanitization or validation before the content is displayed to the user.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 07:46 AM
Security Audit — agent-trust-hub — tldr-stats