The Agent Skills Directory

[DATA_EXFILTRATION]: The skill accesses sensitive file paths within the user's home directory (~/.claude/projects/). This directory contains session indices, event logs, and narrative summaries of the agent's activity. While this is used for context retrieval, reading from hidden system/application directories is a data exposure risk.
[COMMAND_EXECUTION]: The instructions require the agent to execute a shell command pipeline (echo -n "<absolute project dir>" | sha256sum | cut -c1-16) to dynamically compute a project hash for path construction. Additionally, the skill explicitly instructs the agent to use Read and Glob tools to access restricted paths because "safety hooks" block bash from accessing them, representing an intentional bypass of configured environment restrictions.
[PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection (Category 8) by ingesting and processing session logs that may contain untrusted content from previous tasks (e.g., file edits, web content, or tool outputs).
Ingestion points: events.jsonl and summary.md in the session-index directory.
Boundary markers: No delimiters or instructions are provided to the agent to treat the retrieved log content as untrusted or to ignore embedded instructions.
Capability inventory: The agent has the ability to read and glob files across the session index, potentially exposing history from multiple sessions if the glob is broad.
Sanitization: There is no evidence of sanitization, escaping, or validation of the log data before it is re-introduced into the agent's context.

recall