The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes untrusted historical data from Codex session logs, making it susceptible to indirect prompt injection where past messages could influence the agent's current summaries or recommendations.
Ingestion points: The repo_session_digest.py script reads session data from ~/.codex/sqlite/state_5.sqlite, ~/.codex/logs_1.sqlite, and JSONL transcripts in ~/.codex/sessions/.
Boundary markers: Extracted user messages are interpolated into Markdown and JSON summaries without explicit delimiters or instructions to the LLM to ignore embedded commands.
Capability inventory: The skill uses subprocess.run to execute git commands and provides recommendations that shape the agent's next actions.
Sanitization: The script performs basic text formatting (whitespace collapsing and tag stripping) but does not validate the semantic content of historical messages for malicious intent.
[COMMAND_EXECUTION]: The skill performs local repository analysis using git commands.
Evidence: The git_summary function in scripts/repo_session_digest.py executes git status, git log, and git rev-parse using subprocess.run. These calls are implemented using list-based arguments without a shell, which follows security best practices to prevent shell injection.
[DATA_EXFILTRATION]: The skill accesses sensitive local files containing user conversation history.
Evidence: The script reads SQLite databases and transcript logs containing the user's full Codex session history. While this is the core function of the skill, it involves accessing sensitive personal and professional data stored in the ~/.codex directory.

session-analyzer