The Agent Skills Directory

[COMMAND_EXECUTION]: The skill interpolates the user-provided {window} parameter directly into a Bash command string. This creates a potential command injection vector where a malicious input could lead to the execution of unauthorized commands or manipulation of file system paths via the analysis script's arguments.
[DATA_EXFILTRATION]: The skill accesses sensitive information within Claude Code session logs (~/.claude/projects/). Although the utility script redacts common secrets like tokens and system paths, the analysis process exposes user conversation history to the model and saves it to a new local HTML file, constituting a data exposure risk.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from session logs and includes snippets of this data in the prompts used to generate the final report.
Ingestion points: The skill reads log files from ~/.claude/projects/**/*.jsonl using the scripts/compute_stats.py script.
Boundary markers: The skill uses HTML comment placeholders (e.g., ) to indicate where the agent should insert text, but it does not use strong delimiters or instructions for the agent to ignore instructions embedded within the log snippets.
Capability inventory: The agent has access to Read, Write, and Bash (restricted to specific tools like python3, open, etc.), allowing it to read logs, write reports, and execute analysis scripts.
Sanitization: The Python script includes a redact function that uses regular expressions to replace emails, tokens, and paths with placeholders, which partially mitigates credential exposure but does not prevent prompt-level manipulation.

cc-canary-html