read-memories
Warn
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive session log files located at
$HOME/.claude/projects/*/*.jsonl. These logs contain the full history of previous AI interactions, which may include source code, configuration details, and sensitive information previously shared by the user. While this is the primary purpose of the skill, it represents a significant data exposure surface. - [COMMAND_EXECUTION]: The skill instructs the agent to dynamically construct shell commands by replacing the
<KEYWORD>placeholder with user-provided input. This pattern is vulnerable to shell command injection or SQL injection if the agent fails to properly escape shell metacharacters or DuckDB SQL syntax within theduckdb -ccommand. - [PROMPT_INJECTION]: This skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from past session logs and processes it using the
Bashtool. Malicious instructions previously encountered in other sessions and stored in the logs could be re-introduced into the agent's current context. - Ingestion points: NDJSON log files from the
.claude/projects/directory. - Boundary markers: None identified; the SQL query searches raw message content without delimiters or instructions to ignore embedded content.
- Capability inventory: The skill uses the
Bashtool to executeduckdbqueries and perform file system management. - Sanitization: There is no evidence of sanitization or filtering of log content before it is incorporated into the agent's current context.
Audit Metadata