chat-history
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Data Exposure & Exfiltration (MEDIUM): The skill accesses
~/.claude/projects/, which contains sensitive session history. While it does not directly send data to a remote URL, it moves private information from a system-protected directory into the project workspace and explicitly encourages committing this data to version control (git commit). This significantly increases the risk of exposing proprietary code, API keys, or private instructions found in historical logs. - Command Execution (LOW): The script executes multiple shell commands (
grep,sed,awk,jq) to process files. It relies onpwdto compute paths for internal files, which is a standard pattern but allows for indirect interaction with the filesystem based on the current directory context. - Indirect Prompt Injection (LOW): The skill processes untrusted data (historical session inputs) and interpolates it directly into markdown files without sanitization or boundary markers. If previous sessions contained malicious markdown or instructions, they are persisted and rendered in the new project documentation.
- Ingestion points:
~/.claude/projects/*.jsonlsession files. - Boundary markers: None present in the output generation logic.
- Capability inventory: Writing files to the local filesystem via
mvand redirection. - Sanitization: Minimal filtering (using
grep -v) is applied to remove specific system strings, but no escaping of arbitrary content is performed.
Audit Metadata