The Agent Skills Directory

[DATA_EXFILTRATION]: The script accesses the ~/.claude/projects/ directory to read session index files and conversation transcripts. These files contain historical session data that may include sensitive code, secrets, or workspace details.
[COMMAND_EXECUTION]: The script uses the subprocess module to execute git commands locally, including git branch, git status, and git log, to synchronize the recovered session context with the current repository state.
[PROMPT_INJECTION]: The skill processes untrusted historical data from .jsonl transcripts, creating an attack surface for indirect prompt injection where instructions from previous sessions could influence the current conversation.
Ingestion points: Reads transcripts and summaries from ~/.claude/projects/<project>/<session-id>.jsonl.
Boundary markers: The script identifies compaction boundaries but does not perform sanitization of the extracted text for embedded instructions.
Capability inventory: The skill can execute shell commands via git and perform file system reads across the workspace.
Sanitization: Extracted user and assistant text is truncated but not filtered for potential malicious instructions or bypass attempts.

continue-claude-work