save-conversation
Warn
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to read and process sensitive conversation logs stored at
~/.claude/projects/. These logs contain the full history of user interactions, which may include credentials, environment variables, or private data. - [DATA_EXFILTRATION]: The script
scripts/export.pyis vulnerable to path traversal. The--project-pathand--session-idarguments are used to construct a file path without validation, which could allow a malicious actor or a compromised session to force the script to read any.jsonlfile on the filesystem using..sequences. - [COMMAND_EXECUTION]: The skill instructs the agent to execute a local Python script (
scripts/export.py) with arguments derived from the current session context. This execution is used to process sensitive system files. - [EXTERNAL_DOWNLOADS]: The installation instructions recommend fetching the skill from the author's repository via
npx skills add HartreeWorks/skill--save-conversation. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted data from previous conversations. Evidence:
- Ingestion points: Conversation log files (
.jsonl) located in~/.claude/projects/(processed byscripts/export.py). - Boundary markers: Absent; the script parses the JSON structure but does not include explicit delimiters or instructions for the agent to ignore embedded commands within the extracted content.
- Capability inventory: The agent has the ability to execute shell commands and perform file operations (File:
SKILL.md). - Sanitization: The script performs basic sanitization such as
slugifyfor filenames andshift_headingsfor Markdown content, but does not sanitize the message content for potential injection attacks or malicious instructions.
- Ingestion points: Conversation log files (
Audit Metadata