The Agent Skills Directory

[COMMAND_EXECUTION]: The helper script scripts/find-session.sh is vulnerable to argument injection. The variable $FILE_PATTERN is passed directly to grep and rg without the -- flag terminator. A file pattern starting with a hyphen could be interpreted as a command-line option, potentially allowing an attacker to manipulate the search tool's behavior.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by design. It retrieves and analyzes past session logs located in ~/.claude/projects/. These logs contain historical conversation data that may include content from untrusted external sources encountered in previous sessions. Re-injecting this data into the current context without sanitization could lead the agent to execute malicious instructions embedded in the history.
Ingestion points: Reads from .jsonl session transcript files using shell scripts and file-reading tools.
Boundary markers: None identified. The skill does not provide the agent with specific delimiters or instructions to treat the log content as untrusted data.
Capability inventory: The skill utilizes shell execution (bash), version control tools (git), and file system access.
Sanitization: No sanitization or validation is performed on the session log content before it is processed by the agent.

trace-change-why