reflect
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands, specifically
ls -lt, to identify and filter JSONL conversation files within the~/.claude/projects/directory based on modification timestamps. - [DATA_EXFILTRATION]: The skill accesses sensitive data by reading the user's full conversation history and metadata stored in
~/.claude/history.jsonland associated project JSONL files. This involves processing potentially private or sensitive information from past interactions. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted data from past conversation history and has the capability to write that data to persistent project files.
- Ingestion points: Reads raw message content (user/assistant) from JSONL files in
~/.claude/projects/. - Boundary markers: No explicit boundary markers or XML delimiters are defined to isolate the history content during the extraction and analysis phase.
- Capability inventory: The skill can write to
./CLAUDE.md,~/.claude/CLAUDE.md, andMEMORY.md. - Sanitization: The skill contains instructions to explicitly strip sensitive data (API keys, tokens, passwords) and utilizes an
AskUserQuestionloop to require human confirmation before any file modification.
Audit Metadata