Remembering Conversations
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes an
install-hookscript that modifies the user's~/.claude/hooks/sessionEndfile to automatically execute the indexing process after every Claude Code session. This persistence mechanism is documented and required for the skill's auto-indexing feature.\n- [DATA_EXFILTRATION]: To provide search functionality, the skill reads sensitive local conversation logs from~/.claude/projects/and copies them to a local archive in~/.config/superpowers/. Additionally, thesummarizer.tscomponent sends conversation excerpts to the Anthropic API using the official Claude SDK to generate searchable summaries. This is consistent with the skill's purpose but involves processing sensitive data externally.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes historical conversation data that could contain malicious instructions designed to influence the agent's behavior during summarization or retrieval.\n - Ingestion points:
parser.tsreads.jsonlconversation files from project directories.\n - Boundary markers: The
search-agent.mdtemplate uses Markdown sections to separate data, but there are no explicit delimiters used during raw text processing for embeddings or summaries to differentiate between data and instructions.\n - Capability inventory: The skill uses
npx tsxfor code execution and the Anthropic API for text processing.\n - Sanitization: No explicit sanitization or filtering of historical chat content is performed before it is processed by the summarizer or search agent.
Audit Metadata