extract-learnings
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes external Python scripts located in the recall-conversations skill directory using the Bash tool. These scripts are used to gather context from past sessions.\n
- Evidence: python3 ${CLAUDE_PLUGIN_ROOT}/skills/recall-conversations/scripts/recent_chats.py\n
- Evidence: python3 ${CLAUDE_PLUGIN_ROOT}/skills/recall-conversations/scripts/search_conversations.py\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) by extracting 'learnings' from untrusted conversation data and persisting them into system configuration files (CLAUDE.md), which can alter the agent's long-term behavior.\n
- Ingestion points: Stage 1 (Context Gathering) reads from the current conversation and past session logs retrieved via scripts in SKILL.md.\n
- Boundary markers: Absent. No specific markers or warnings are used to delimit source data during the extraction phase.\n
- Capability inventory: The skill utilizes Edit and Write tools to modify ~/.claude/CLAUDE.md and other memory files in Stage 4.\n
- Sanitization: Absent. The skill relies on LLM distillation and a manual user approval step but does not implement programmatic sanitization or escaping of the content written to configuration files.
Audit Metadata