knowledge-graph-memory
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The script
scripts/conversation_history.pyreads private conversation transcripts from the user's home directory and writes them to the repository.\n - Evidence: Lines 27-41 in
scripts/conversation_history.pyderive paths to~/.claude/projects/based on the repository root.\n - Risk: Sensitive chat history containing logic, decisions, or code could be accidentally pushed to public remotes if the generated
docs/conversations/folder is committed.\n- [COMMAND_EXECUTION]: The skill instructions require the execution of a Python script and recommend its integration into automated Git hooks.\n - Evidence:
SKILL.mdprovides commands forchmod +xandpython3 scripts/conversation-history.pyas part of the installation and pre-push lifecycle.\n- [PROMPT_INJECTION]: The skill introduces a surface for indirect prompt injection by using past session logs as authoritative context for future agent actions.\n - Ingestion points:
~/.claude/projects/*.jsonl(found inscripts/conversation_history.pyline 147) and.entire/logs/entire.log(line 52) are parsed for content.\n - Boundary markers: The script uses Obsidian callout syntax (e.g.,
> [!quote]) in thegenerate_session_docfunction to distinguish roles, providing some structure but not complete protection against adversarial instructions embedded in logs.\n - Capability inventory: The agent consuming these logs typically has access to shell and file system tools via Claude Code, as noted in the
SKILL.mdmetadata.\n - Sanitization: Basic sanitization of XML tags is performed in the
_callout_safefunction (line 404), but the script does not validate the semantic content for malicious instructions.
Audit Metadata