The Agent Skills Directory

[SAFE]: The skill performs legitimate local operations intended for managing and retrieving agent session history. It limits its scope to the ~/.claude/ directory and does not engage in network communication or execute untrusted code.
[PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it processes historical session transcripts that may contain content from past interactions. While this could theoretically be used to influence the agent's behavior if it encounters malicious instructions in its history, the risk is mitigated by the skill's lack of high-privilege capabilities such as network access or shell execution.
Ingestion points: Historical JSONL transcripts located in ~/.claude/projects/, accessed by the scripts/session_query.py script and described in SKILL.md.
Boundary markers: Absent. There are no specific instructions for the agent to use delimiters or ignore embedded commands when processing the content of past sessions.
Capability inventory: Includes reading transcripts, writing local summary files to ~/.claude/kaizen/session-summaries/, and performing local DuckDB queries. The skill does not have access to tools for network exfiltration or arbitrary shell command execution.
Sanitization: The transcript processing logic extracts raw text content from JSONL records without applying sanitization or filtering for potentially malicious instructions.

session-historian