reflect
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it analyzes conversation history which may contain untrusted data or adversarial instructions intended to subvert the learning extraction process.\n
- Ingestion points: Reads conversation history from
~/.claude/ccrecall.db(as described inreferences/analysis-patterns.md) and the current session context window.\n - Boundary markers: No explicit boundary markers or delimiters are used to separate user data from instructions during analysis.\n
- Capability inventory: The skill has the capability to write proposed learnings into local skill files in
.claude/skills/or~/.claude/skills/.\n - Sanitization: There is no automated sanitization of the extracted content; however, the skill explicitly requires manual user approval before any file writes are performed.\n- [COMMAND_EXECUTION]: The skill utilizes
mcp-sqlite-toolsto execute SQL queries against a local database file to retrieve message history for analysis.\n- [DATA_EXPOSURE]: The skill identifies and accesses~/.claude/ccrecall.db, a file containing sensitive conversation history. This data is used locally within the agent's context to facilitate the skill's primary function of reflecting on previous interactions.
Audit Metadata