The Agent Skills Directory

[DATA_EXPOSURE]: The skill and its associated scripts access highly sensitive interaction history files located at ~/.claude/history.jsonl and ~/.codex/history.jsonl. These files contain the full record of user prompts and assistant responses, which may include credentials, private source code, and personal information.
[COMMAND_EXECUTION]: The skill utilizes several shell scripts (detect-history.sh, list-sessions.sh, search-history.sh, view-session.sh) and command-line tools such as jq, git, and split to inspect, filter, and process local data. This includes parsing and displaying contents of session files to the agent context.
[INDIRECT_PROMPT_INJECTION]: The skill automates the extraction of "Hard Rules & Preferences" and "Project Context" from historical logs to be written into the agent's core system/ files. Since historical logs are untrusted and may contain malicious content from past sessions (e.g., instructions previously read from an attacker-controlled file), this workflow allows for the persistence of prompt injection attacks across the agent's identity and future sessions.
Ingestion points: Reads from global history files and project-specific session files in ~/.claude/ and ~/.codex/.
Boundary markers: The instructions do not define strict boundary markers or sanitization requirements for content promoted to the system prompt.
Capability inventory: Full filesystem write access to the memory directory, git operations, and subprocess execution via subagents.
Sanitization: There is no explicit requirement to sanitize or escape extracted content before interpolating it into core memory files.

initializing-memory