resume-claude-here
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data by reading and importing historical Claude session transcripts from the local filesystem. This creates a surface for indirect prompt injection, as a prior session might contain malicious instructions (e.g., content Claude read from the web or external files) that are then re-introduced into the active agent's context during the import process.
- Ingestion points: Reads
.jsonlfiles from~/.claude/projects/and~/.claude/transcripts/. - Boundary markers: The skill instructions in
SKILL.mddo not mandate the use of explicit delimiters or 'ignore' instructions when interpolating transcript content into the prompt. - Capability inventory: The agent can execute local Python scripts and the
claudeCLI, and read/write files as part of the session import workflow. - Sanitization: The Python helper script parses the raw JSON lines but does not perform content sanitization or instruction-filtering on the extracted text before it is returned to the agent.
- [COMMAND_EXECUTION]: The skill's workflow relies on executing a local Python helper script (
scripts/claude_session_tool.py) and theclaudeCLI to discover, rank, and export session transcripts. - [SAFE]: The provided Python script (
scripts/claude_session_tool.py) uses only Python standard library modules and performs legitimate file system reads within the user's home directory specifically targeted at Claude's official configuration and history folders.
Audit Metadata