session-learning
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (LOW): The skill is inherently designed to ingest untrusted data from session transcripts and re-inject it into future agent contexts without clear sanitization or boundary markers.
- Ingestion points: Session transcripts are analyzed at the end of every session to extract "learnings".
- Boundary markers: None mentioned; the README suggests top matches are injected directly as context.
- Capability inventory: The skill reads/writes YAML files and modifies the system context for future sessions.
- Sanitization: None mentioned. The process relies on simple keyword matching which can be manipulated to trigger specific malicious "learnings" in future sessions.
- Data Exposure (LOW): The skill aggregates and stores session insights in plaintext YAML files on the local filesystem.
- Evidence: Data is stored in
.claude/data/learnings/(e.g.,errors.yaml,workflows.yaml). - Risk: Sensitive information, architectural decisions, and credentials accidentally included in transcripts are concentrated into a single, easily accessible directory on the disk.
Audit Metadata