claude-reflect
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is subject to indirect prompt injection vulnerabilities because its core functionality depends on extracting and implementing instructions from untrusted historical data, specifically Claude Code session files (~/.claude/projects/*.jsonl). A malicious actor could inject hidden instructions into a conversation that are later processed as authoritative "learnings" for the agent's configuration.\n
- Ingestion points: Historical session JSONL files and live user messages captured via hooks.\n
- Boundary markers: No explicit delimiters or isolation mechanisms are used when passing extracted session text to the LLM for analysis.\n
- Capability inventory: The skill has the ability to write to and edit critical agent configuration files (CLAUDE.md, AGENTS.md).\n
- Sanitization: The system relies on LLM filtering to identify "reusable" content and requires manual approval via the AskUserQuestion tool before any file changes are committed.\n- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute local scripts and command-line utilities (jq, grep, cat). These are used to parse session logs, manage the internal learnings queue, and identify project-specific configuration targets. These operations are limited to the local environment and intended project files.
Audit Metadata