The Agent Skills Directory

DATA_EXFILTRATION (MEDIUM): The skill accesses sensitive application data outside the project directory. Specifically, it targets ~/.claude/scripts/analyze-sessions.py and searches for session logs in ~/.claude/projects/. While this is intended for retrospective analysis of previous AI sessions, accessing local application history is a high-sensitivity operation. This finding is downgraded from HIGH to MEDIUM as it is essential to the skill's primary purpose of conducting a retrospective.
COMMAND_EXECUTION (LOW): The skill executes several local shell commands including git, bd (beads CLI), and ao (flywheel CLI). These are used for data gathering and indexing. There is no evidence of downloading and executing remote scripts.
PROMPT_INJECTION (LOW): The skill is highly susceptible to indirect prompt injection (Category 8). It ingests data from multiple untrusted sources (git commit messages, issue tracker comments, and session history) and processes them to generate summaries. An attacker with the ability to influence these sources could inject instructions to manipulate the agent's summary or behavior.
Ingestion points: git log, bd show, analyze-sessions.py output, and the Read tool on arbitrary project files.
Boundary markers: Absent. The instructions do not define delimiters or warnings to ignore instructions within the ingested data.
Capability inventory: File system write access (.agents/), shell command execution, and read access to global session history.
Sanitization: None detected. The skill directly interpolates gathered context into its reasoning process.

retro