recall
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses highly sensitive session logs located in
~/.claude/projects/. These files contain full conversation histories, including potential secrets or proprietary code discussed in previous sessions. While this access is the primary purpose of the 'recall' functionality, it represents a significant data exposure surface. - [COMMAND_EXECUTION]: The script
scripts/session-graph.pyutilizessubprocess.run(['open', output_path])to launch the generated HTML graph in the user's default web browser. While used here for user convenience, executing system commands on file paths is a high-privilege operation. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). Malicious instructions stored in historical session logs could be 'recalled' into the current agent context.
- Ingestion points: Reads historical JSONL session logs in
scripts/recall-day.pyandscripts/extract-sessions.py. - Boundary markers: The skill lacks explicit 'ignore embedded instructions' delimiters when presenting recalled text to the agent.
- Capability inventory: The skill has access to
Bashandpython3tools as defined inSKILL.md. - Sanitization: Uses regex
STRIP_PATTERNSto remove system tags and tool noise, but does not sanitize general natural language instructions. - [EXTERNAL_DOWNLOADS]: The visualization tool
scripts/session-graph.pygenerates HTML that depends on thepyvislibrary. When rendered, the browser fetches thevis-networkJavaScript assets from a remote CDN (unpkg.com). This is a standard but external dependency for the graph's interactive features.
Audit Metadata