banana-claude-codex-import
Pass
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data from past session logs and preparing it for distillation into the agent's long-term memory.
- Ingestion points: Reads JSONL session files from
~/.claude/projects/and~/.codex/sessions/. - Boundary markers: The script does not wrap the imported content in delimiters or add warnings to ignore embedded instructions when formatting the memory candidates.
- Capability inventory: The skill reads local chat logs and writes formatted markdown files to the workspace memory directory, which the agent is then instructed to read and incorporate into
MEMORY.md. - Sanitization: No sanitization, escaping, or instruction filtering is performed on the content extracted from the past sessions.
- [COMMAND_EXECUTION]: The skill's primary workflow involves executing a local Python script (
scripts/import_conversations.py) to scan, parse, and archive local session files.
Audit Metadata