The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and summarizes external data (Claude Code session logs from ~/.claude/projects/). If a previous session contained malicious instructions or adversarial content, the summarization process could propagate those instructions into the agent's current context.
Ingestion points: Conversation logs in JSONL format located in ~/.claude/projects/.
Boundary markers: The skill uses structured summarizing (User's goal, decisions, next steps) but lacks explicit boundary markers or instructions to the agent to ignore any commands embedded within the logs.
Capability inventory: The provided Python script only performs file reads and string processing; however, the agent utilizing this skill may have broader system access.
Sanitization: Content is shortened and whitespace is normalized, but no sanitization for malicious prompt instructions is performed.
[COMMAND_EXECUTION]: The test file tests/test_claude_session_handoff.py uses subprocess.check_output() to execute the helper script during testing. This is a standard practice for test suites and uses controlled arguments, representing a low risk in this specific context.
[DATA_EXPOSURE]: The skill's primary function is to read session logs from ~/.claude/projects/. While these logs may contain sensitive information (code, discussion history), the data remains local and is not transmitted over the network. This behavior is consistent with the skill's stated purpose of context recovery.

claude-session-handoff