analytics
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
bun x ccrecallto download and execute the ccrecall package directly from the npm registry. This package is maintained by the skill author. - [COMMAND_EXECUTION]: The instructions provide multiple shell commands for managing and querying the usage database, such as
ccrecall sync,ccrecall stats, andccrecall query. - [DATA_EXFILTRATION]: The skill accesses a local database file at
~/.claude/ccrecall.db. This file contains sensitive information, specifically the user's Claude Code transcript history and session metadata. Accessing this file is the primary purpose of the skill, but it constitutes access to private data. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes and summarizes historical chat messages stored in the database. Malicious instructions contained within past sessions could be interpreted by the agent during the analysis process.
- Ingestion points: The
messagestable within~/.claude/ccrecall.db. - Boundary markers: None identified in the provided queries or instructions.
- Capability inventory: Database querying via SQLite and shell command execution via bun.
- Sanitization: No evidence of sanitization or filtering of the retrieved transcript content before it is processed by the agent.
Audit Metadata