extracting-session-data
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (HIGH): A shell command injection vulnerability exists in
scripts/filter-sessions.shwithin thedate_to_timestampfunction. The script uses an unquoted command substitution$(...)to process the--sinceand--untilarguments. An attacker providing a crafted date string like1 ago; [malicious-command]can achieve arbitrary code execution. - Evidence: File
scripts/filter-sessions.shcontains:date -j -v-$(echo "${date_str}" | sed 's/ ago//') +%s. If the subshell returns a string containing a semicolon, the shell interprets the subsequent text as a new command. - DATA_EXFILTRATION (MEDIUM): The skill's primary purpose is to programmatically locate and read Claude Code session logs stored in
~/.claude/projects/. These logs contain sensitive data including user prompts, assistant responses, and tool outputs (which may include source code or secrets). - Evidence:
scripts/locate-logs.shcalculates paths targeting the user's private.claudedirectory, andscripts/extract-data.shreads these files usingjqandgrep. - PROMPT_INJECTION (LOW): This skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from historical session logs. If a previous session contains malicious instructions, they will be extracted by this skill and presented to the agent, potentially hijacking its behavior.
- Ingestion Points:
~/.claude/projects/{project-dir}/{session-id}.jsonl(contains untrusted user/tool data). - Boundary Markers: Absent; the skill returns raw text to the caller without delimiters or warnings.
- Capability Inventory: Subprocess execution (bash), file-read.
- Sanitization: None;
jq -ris used to output the raw content of messages.
Recommendations
- AI detected serious security threats
Audit Metadata