claude-reflect
Pass
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses local shell commands (jq, grep, ls, cat) and custom scripts to manage a learning queue and scan project session history. These tools are used for text processing and directory navigation within the local environment.
- [COMMAND_EXECUTION]: Employs dynamic context injection (using the !command syntax) in reflect.md and view-queue.md to retrieve current session state. The commands executed are limited to reading the queue file and identifying the current working directory.
- [PROMPT_INJECTION]: The skill processes user-generated messages from past sessions to extract rules, representing a surface for indirect prompt injection. While this could theoretically ingest malicious instructions from compromised session logs, the skill requires explicit human approval via the AskUserQuestion tool before any change is applied to configuration files, serving as a robust security boundary.
- Ingestion points: Reads from ~/.claude/projects/*.jsonl session files and ~/.claude/learnings-queue.json.
- Boundary markers: Utilizes interactive user prompts and confirmation dialogs to validate extracted data before it is persisted.
- Capability inventory: Uses Write, Edit, and Bash tools across multiple scripts and commands to modify configuration files and process logs.
- Sanitization: Employs jq for safe JSON manipulation in shell scripts and LLM-based filtering to evaluate the reusability of extracted text.
Audit Metadata