Skill Trust Decision
session-reflect
Skill declares local-only processing but commands use undocumented shell subprocess to cat config and sync sessions; also accesses undocumented ~/.claude memory path.
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Undocumented shell subprocess +20
Commands run 'python3 ~/coding/session-reflect/extract_sessions.py sync' and 'cat ~/.config/session-reflect/config.json' via shell - not declared in SKILL.md
Undeclared sensitive path access +15
commands/reflect/default.md:42 accesses ~/.claude/projects/-Users-wh-coding/memory/user_profile.md without disclosure
Hidden capability mapping +10
shell:WRITE capability required for subprocess but not declared in SKILL.md
Most important evidence
Medium
Undeclared shell execution in command files
All three command files (default.md, drift.md, emerge.md) execute 'python3 ~/coding/session-reflect/extract_sessions.py sync' and 'cat ~/.config/session-reflect/config.json' via subprocess. SKILL.md declares filesystem:READ but does not mention shell execution capability.
commands/reflect/default.md, commands/reflect/drift.md, commands/reflect/emerge.md:3 Update SKILL.md to declare shell:WRITE capability and document the subprocess invocations.
Medium
Undeclared memory path access
commands/reflect/default.md line 42 reads from ~/.claude/projects/-Users-wh-coding/memory/user_profile.md - a sensitive user profile path not mentioned in SKILL.md.
commands/reflect/default.md:42 Document this path access in SKILL.md or remove if not essential.
Low
Hardcoded username in path
Memory path contains hardcoded username 'wh-coding' which may not be portable across systems.
commands/reflect/default.md:42 Derive username dynamically or use environment variables.
Declared capability vs actual capability
Filesystem Pass
Declared READ
→ Inferred READ
commands/reflect/default.md:42 reads ~/.claude memory path Shell Block
Declared NONE
→ Inferred WRITE
Commands execute python3 and cat via shell Environment Pass
Declared NONE
→ Inferred NONE
No direct env access Network Pass
Declared NONE
→ Inferred NONE
No network requests found Suspicious artifacts and egress
Medium External URL
https://www.youtube.com/watch?v=6MBq1paspVU SKILL.md:115
Medium External URL
https://clawskills.sh/skills/riley-coyote-continuity SKILL.md:117
Dependencies and supply chain
There are no structured dependency warnings.
File composition
6 files · 1069 lines
Python 1 files · 542 linesMarkdown 5 files · 527 lines
Files of concern · 2
SKILL.md https://www.youtube.com/watch?v=6MBq1paspVU · https://clawskills.sh/skills/riley-coyote-continuity
commands/reflect/default.md Undeclared memory path access · Hardcoded username in path
Other files · extract_sessions.py · reflect.md · emerge.md · drift.md
Security positives
Sensitive data patterns (API keys, tokens, passwords) are properly redacted in session content
All processing writes locally to user-specified Obsidian Vault
No network exfiltration detected
No credential harvesting or data theft indicators
System prompts and boilerplate content are filtered
Code blocks are replaced with placeholders