The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes past conversation history. If a previous session contains malicious instructions or commands, they could influence the agent's current behavior when the history is recalled as context.
Ingestion points: Retrieves message data from a local SQLite database (~/.claude-memory/conversations.db) which is populated from JSONL log files in ~/.claude/projects/.
Boundary markers: The skill lacks explicit boundary markers or instructions to the agent to treat retrieved historical content as untrusted or to ignore embedded instructions within it.
Capability inventory: The skill uses Bash to execute Python scripts and has access to Read, Grep, and Glob tools.
Sanitization: Full-text search queries are sanitized in scripts/memory_lib/content.py to prevent database errors, but the retrieved conversation content is not sanitized for injection patterns.
[COMMAND_EXECUTION]: The skill invokes the Bash tool to execute its own local Python scripts (recent_chats.py and search_conversations.py) to query the conversation database. This is the core functionality required for its intended purpose.
[DATA_EXFILTRATION]: The skill reads historical conversation logs and metadata from the user's local filesystem (~/.claude-memory/ and ~/.claude/projects/). This data access is essential for the skill's function as a memory retrieval tool, and no external network transmission of this data was identified.

recall-conversations