The Agent Skills Directory

[DATA_EXFILTRATION] (HIGH): The skill accesses highly sensitive session history and project context.
Evidence: The skill is designed to find and read all .jsonl files in ~/.claude/projects/, which contain full history of interactions, including potentially sensitive code, business logic, and credentials discussed in past AI sessions.
[COMMAND_EXECUTION] (HIGH): The script scripts/extract-session.sh contains a script injection vulnerability in its jq filter.
Evidence: On line 71, the shell variable $SESSION_FILE is interpolated directly into the jq command string: file: "'"$SESSION_FILE"'". This allows an attacker who can place a file with a crafted name (e.g., one containing " } | .sensitive_field | { ") into the project directory to inject arbitrary jq filters, potentially exfiltrating data that the script was intended to hide (like thinking or tool_use blocks).
[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
Ingestion points: Historical session logs in ~/.claude/projects/**/*.jsonl which store untrusted past user and assistant messages.
Boundary markers: Absent. The skill does not use any delimiters or specific instructions to protect the subagent from commands embedded in the session history.
Capability inventory: The extracted text is processed by a high-capability model (opus) via a background Task. This subagent is tasked with 'comprehensive analysis' and could be manipulated into performing unauthorized tasks or providing poisoned summaries if it obeys instructions found within the logs.
Sanitization: Absent. The skill performs basic extraction but does not sanitize or validate the content of the historical messages before feeding them to the LLM.

history-insight