session-search
Warn
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to read and process sensitive session transcripts stored in
~/.claude/projects/. These files contain a full history of past user and agent interactions, which may include proprietary code, credentials, or private information. While the data is processed locally, presenting large excerpts to the agent context constitutes a significant exposure of sensitive local state. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by design. It extracts content from external files (past session logs) and feeds them into the current agent prompt for semantic evaluation.
- Ingestion points: Session JSONL files found in
~/.claude/projects/viascripts/search.py. - Boundary markers: Output is structured within a
SESSIONS_DATAJSON block, but the skill lacks specific instructions for the agent to disregard instructions embedded within the transcript excerpts. - Capability inventory: The script performs recursive file discovery and reading across the entire session storage directory.
- Sanitization: No sanitization or filtering is performed on the content of past messages to strip out potential 'jailbreak' strings or malicious commands before they are presented to the model.
Audit Metadata