project-directory-migration
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- DATA_EXFILTRATION / SENSITIVE DATA ACCESS (HIGH): The skill is designed to read and modify
~/.claude/history.jsonland~/.claude/projects/, which contain private conversation history, tool results, and session metadata. Accessing these files constitutes sensitive data exposure. - INDIRECT PROMPT INJECTION (HIGH): The skill ingests untrusted data from
history.jsonlandsessions-index.jsonto perform rewrites. - Ingestion points:
~/.claude/history.jsonl,~/.claude/projects/**/sessions-index.json(referenced inSKILL.mdandsession-storage-anatomy.md). - Boundary markers: None specified; the skill performs string or JSON replacement on entries that may contain attacker-controlled content from previous agent interactions.
- Capability inventory: Use of
BashandReadtools to executeclaude-code-migrate.shwhich performs file moves and content rewriting. - Sanitization: No sanitization logic is described for handling malicious payloads embedded within the JSONL history files.
- COMMAND_EXECUTION / REMOTE CODE EXECUTION (HIGH): The skill executes a local shell script
scripts/claude-code-migrate.shwith broad permissions (via theBashtool) to modify the filesystem and environment tools likemiseanduv. - Evidence:
SKILL.mdPhase 2 and 3 explicitly trigger script execution:bash "<skill-scripts>/claude-code-migrate.sh" --dry-run "$OLD_PATH" "$NEW_PATH". - Note: The content of the
.shscript was not provided for analysis, making its safety unverifiable. - PRIVILEGE ESCALATION / PERSISTENCE (MEDIUM): The skill modifies environment tool states (e.g.,
mise trust <path>) and recreates virtual environments (uv sync). While contextually relevant, these actions can be used to authorize malicious scripts or persist changes in the user's development environment.
Recommendations
- AI detected serious security threats
Audit Metadata