postcompaction
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses local conversation history stored in the
~/.claude/projects/directory and specific session paths. This access is limited to reading transcript files (.jsonl) and is fundamental to the skill's primary purpose of recovering context. No evidence of external network transmission or credential access was found. - [PROMPT_INJECTION]: The skill processes untrusted data from previous conversation transcripts, which introduces an indirect prompt injection surface.
- Ingestion points: Transcripts are read from
~/.claude/projects/or paths extracted from compaction summaries. - Boundary markers: The subagent prompt lacks explicit delimiters (like XML tags) to separate instructions from the transcript content, which could allow malicious content in the history to influence the subagent.
- Capability inventory: The subagent is restricted by the instruction: "This is RESEARCH ONLY — do not edit or write any files," which significantly limits the potential impact of an injection.
- Sanitization: There is no evidence of sanitization or filtering applied to the transcript data before it is processed.
Audit Metadata