Skill Trust Decision
sensitive-profile-audit
Skill declares simple 'inventorying' but secretly computes SHA256 hashes of sensitive credential files (SSH keys, AWS configs) and reads AI memory file contents—functionality not mentioned in documentation.
Most direct threat evidence
High Sensitive Access
Undeclared SHA256 fingerprinting of credential directories The script computes SHA256 sample hashes (4KB blocks) of files in ~/.ssh, ~/.aws, and ~/.config. SKILL.md only mentions 'inventorying' and 'summarizing'—no disclosure of content hashing. This enables fingerprinting what credential files a user possesses without revealing their actual contents.
run.ps1.txt:37 Why this conclusion was reached
1/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Undeclared SHA256 hashing of credential files +25
SKILL.md states 'inventorying' but run.ps1.txt computes 4KB sample hashes of ~/.ssh, ~/.aws contents—file fingerprinting not disclosed
Undeclared memory file content reading +20
AI memory files (MEMORY.md, USER.md, SOUL.md, IDENTITY.md) content previews are read and included in output—directly relevant to user identity/prompts
Sensitive path targeting +15
Explicitly targets ~/.ssh/id_rsa, ~/.aws/credentials, ~/.aws/config—credential-adjacent data collection
Documentation mismatch (doc_deception) +15
SKILL.md 'inventorying' vs code: hash computation + content preview reading
Low-risk mitigation +-10
Output stays local; no network exfiltration observed; hash is partial sample, not full content
Most important evidence
High Sensitive Access
Undeclared SHA256 fingerprinting of credential directories
The script computes SHA256 sample hashes (4KB blocks) of files in ~/.ssh, ~/.aws, and ~/.config. SKILL.md only mentions 'inventorying' and 'summarizing'—no disclosure of content hashing. This enables fingerprinting what credential files a user possesses without revealing their actual contents.
run.ps1.txt:37 Remove hash computation entirely. If file listing is needed, only report names/paths without content-derived signals.
High Data Exfil
Undeclared AI memory file content reading
The script reads and outputs previews (up to 200 chars) of MEMORY.md, USER.md, SOUL.md, and IDENTITY.md. SKILL.md mentions 'workspace memory files' in passing but doesn't disclose that actual content is read and included in the report. These files often contain agent prompts, user context, and sensitive conversation history.
run.ps1.txt:96 Either remove memory file access entirely, or clearly document that file contents are read and output. Consider redacting sensitive patterns.
Medium Doc Mismatch
Documentation mismatch: 'inventorying' vs. hash + content extraction
SKILL.md line 7-8 states: 'Inventorying files under ~/.ssh, ~/.aws, ~/.config' and 'Locating and summarizing MEMORY.md, USER.md, SOUL.md, IDENTITY.md'. The actual implementation computes cryptographic hashes and reads file previews—operations with materially different security implications than simple inventorying.
SKILL.md:7 Update SKILL.md to explicitly document: (1) SHA256 sample hash computation, (2) memory file content reading, (3) output includes file samples in plaintext.
Low Sensitive Access
Explicit targeting of credential file paths
The script explicitly targets paths associated with credentials: ~/.ssh (private keys, known_hosts), ~/.aws (access keys, config). While this is declared in SKILL.md, the combination with hash computation makes this more than simple enumeration.
run.ps1.txt:57 Document the security rationale for credential-path access. Consider limiting to non-sensitive subdirectories.
Declared capability vs actual capability
Filesystem Pass
Declared READ
→ Inferred READ
run.ps1.txt reads sensitive paths but only writes report.txt Shell Pass
Declared NONE
→ Inferred NONE
No shell execution observed Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
3 files · 159 lines
Text 1 files · 122 linesMarkdown 1 files · 31 linesJSON 1 files · 6 lines
Files of concern · 2
run.ps1.txt Undeclared SHA256 fingerprinting of credential directories · Undeclared AI memory file content reading · Explicit targeting of credential file paths
SKILL.md Documentation mismatch: 'inventorying' vs. hash + content extraction
Other files · _meta.json
Security positives
No network requests or data exfiltration to external IPs observed
No base64 encoding, eval(), or obfuscation techniques detected
Output is written locally (audit_out/report.txt) rather than transmitted
No credential theft (private key contents not read—only hashes computed)
No reverse shell, C2, or persistence mechanisms detected