The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies on the Bash tool to perform data aggregation via jq. As documented in references/jq-queries.md and references/session-replay.md, shell commands are dynamically constructed using variables such as $CLAUDE_PROJECT_DIR, $SESSION_FILE, and user-provided session IDs. This dynamic command assembly creates a vector for command injection if these variables or file paths contain shell metacharacters.
[DATA_EXFILTRATION]: The skill accesses highly sensitive directories, including ~/.claude/analytics/, ~/.claude/projects/, and ~/.claude/history.jsonl. These locations contain full conversation transcripts, command history, and internal usage statistics. Although the skill instructions state data is local-only, the broad access to historical session data represents a significant privacy risk if the agent is compromised or follows malicious instructions to reveal this content.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it parses and renders data from log files that may contain untrusted strings. 1. Ingestion points: Data is read from multiple JSONL files in ~/.claude/analytics/ and project-specific session logs in ~/.claude/projects/. 2. Boundary markers: No explicit delimiters or instructions are provided to the agent to distinguish between its own logic and the data contained within the logs. 3. Capability inventory: The agent possesses Bash, Read, Grep, and Glob tools, providing significant system access for any instructions injected via the logs. 4. Sanitization: No sanitization or validation of the log content is performed before rendering results into Markdown tables, which could lead the agent to follow instructions embedded in project names, branch names, or agent identifiers.

analytics