The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses local shell commands (find, grep, ls, date) to search through session transcripts and manage state files in the ~/.claude directory. It also utilizes a shell script (should-dream.sh) triggered by platform hooks to determine when to run maintenance tasks.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes data from historical session logs (.jsonl). An attacker who successfully injects instructions into a previous conversation could have those instructions promoted to the agent's long-term memory files, potentially influencing all future interactions.
Ingestion points: Historical session transcript files located in ~/.claude/projects/*/sessions/.
Boundary markers: Relies on the JSON structure of logs (human vs. assistant messages) but lacks logic to distinguish between genuine user data and embedded malicious commands.
Capability inventory: Possesses the ability to write to and modify memory topic files (~/.claude/projects/*/memory/*.md), which the agent treats as authoritative context in subsequent sessions.
Sanitization: No sanitization or filtering of extracted text is performed before it is merged into the persistent memory store.

obsidian-dream