session-close
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill represents an indirect injection surface as it ingests untrusted data from conversation history and git logs to reconcile state.
- Ingestion points: Current conversation context (Phase 1/3) and local git log/status history (Phase 1).
- Boundary markers: Phase 5 enforces a hard requirement for a diff preview and explicit user approval ("Do not write files without showing the user what will change").
- Capability inventory: The skill uses
Read,Write,Edit, andBash(local git log/status) to manage project-specific memory files located in~/.claude/projects/. - Sanitization: Implements a "three-gate filter" (Durability, Specificity, Retrieval) and structured merge strategies (REPLACE, MERGE-LIST, PRESERVE) to control how data is integrated.
- [DATA_EXPOSURE_AND_EXFILTRATION]: The skill accesses project-related metadata and memory files in the
~/.claude/directory. This is consistent with its stated purpose of project state reconciliation. The instructions explicitly forbid remote calls, fetching from git remotes, or making network requests.
Audit Metadata