claude-history-ingest
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Accesses sensitive local directories containing private conversation history and audit logs, including
~/.claudeand~/Library/Application Support/Claude/local-agent-mode-sessions/.- [COMMAND_EXECUTION]: Employs shellfindcommands to traverse the file system and locate session metadata and audit logs.- [PROMPT_INJECTION]: Subject to indirect prompt injection risks. The skill processes untrusted historical conversation logs and audit trails from previous AI interactions without using boundary markers to prevent the agent from executing instructions embedded in those logs. - Ingestion points: Historical JSONL conversation files and audit logs located in Claude's CLI and Desktop application data folders.
- Boundary markers: None present in the instructions.
- Capability inventory: File system read/write access (Obsidian vault) and shell command execution (
find). - Sanitization: Lacks sanitization for embedded instructions, though it includes general guidance to skip secrets and sensitive personal content.
Audit Metadata