Skills
skills/yangxunj/claude-code-session-manager/session-manager/Gen Agent Trust Hub

session-manager

Warn

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill requires the execution of a Python script (scripts/claude-session.py) that directly modifies Claude Code's internal storage files located in ~/.claude/projects/.
  • The script alters .jsonl chat logs by updating timestamps and removing forkedFrom fields to manipulate the CLI's session-resumption logic.
  • It also modifies sessions-index.json, which is a core configuration file for the Claude Code application.
  • [PROMPT_INJECTION]: The skill utilizes 'Indirect Prompt Injection' surfaces by embedding complex behavioral instructions within project documentation files (assets/template-index.md).
  • Ingestion points: The AI is instructed to read doc/reference/claude-sessions.md (based on the index template) as part of its 'Route', 'Register', and 'Update' workflows.
  • Boundary markers: The templates do not use explicit delimiters or safety instructions to separate the management guide from the session data, increasing the risk that the AI may conflate data with instructions.
  • Capability inventory: The AI is granted the capability to execute the management script and modify project files based on the contents of these index files.
  • Sanitization: There is no evidence of sanitization or validation of the data read from these index files before the AI acts upon the instructions found within them.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 1, 2026, 01:02 PM