postcompact
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXPOSURE]: The skill extracts a file path from the conversation context to locate a transcript. Because this path originates from potentially untrusted conversation history, an attacker could inject a malicious path (e.g.,
/etc/passwdor~/.ssh/id_rsa) to trick the agent into reading sensitive system files. - [DATA_EXPOSURE]: The skill targets files within
~/.claude/projects/, a directory containing sensitive user session data and project logs. - [PROMPT_INJECTION]: The skill processes untrusted transcript data using a subagent without sanitization, creating a surface for indirect prompt injection where malicious instructions embedded in the session history could compromise the subagent's behavior.
- [PROMPT_INJECTION]: Mandatory Evidence Chain for Indirect Prompt Injection:
- Ingestion points: Untrusted session transcript files (
.jsonl) and paths extracted from the compaction summary (SKILL.md, Step 1). - Boundary markers: Absent; the subagent is not instructed to treat the transcript content as inert data or to ignore embedded instructions.
- Capability inventory: The skill launches a foreground
Agentwith the ability to read files and perform research (SKILL.md, Step 2). - Sanitization: Absent; there is no validation or filtering of transcript content before processing.
Audit Metadata