The Agent Skills Directory

DATA_EXFILTRATION (LOW): The skill accesses local directories containing Claude Code history and settings.
Evidence: scripts/analyze.sh reads from ~/.claude/settings.json and ~/.claude/projects/.
Context: Access to these paths is necessary for the skill's primary function of usage analysis. No unauthorized data exfiltration to non-whitelisted domains was detected.
Indirect Prompt Injection (LOW): The skill processes untrusted data from project files and conversation logs which could contain adversarial instructions.
Ingestion points: Project configuration files (e.g., package.json, Cargo.toml) and Claude Code history files (.jsonl) parsed in scripts/analyze-claude-md.sh and scripts/analyze.sh.
Boundary markers: Absent. The skill does not use specific delimiters to isolate external content.
Capability inventory: The skill can execute local bash scripts and recommends file system modifications (creating .md configuration files).
Sanitization: Employs basic JSON escaping via sed in the aggregation script.
COMMAND_EXECUTION (SAFE): Executes local bash scripts for data analysis and aggregation.
Evidence: scripts/analyze.sh, scripts/analyze-claude-md.sh, and scripts/github-discovery.sh are used to perform static analysis.
Assessment: The scripts use controlled logic (jq, grep, find) and do not involve arbitrary user input execution or shell injection patterns.
EXTERNAL_DOWNLOADS (SAFE): Fetches documentation and performs GitHub searches.
Evidence: scripts/fetch-features.sh uses curl to fetch from docs.claude.com. scripts/github-discovery.sh uses the gh CLI for searches.
Assessment: Operations target trusted domains related to the tool's ecosystem (docs.claude.com, anthropic.com, github.com).

claude-code-analyzer