reflect-learn / reflect

allowed-tools grants Bash without scope restrictions. The skill executes arbitrary Python scripts (state_manager.py, signal_detector.py, metrics_updater.py) and git commands without constraining what those scripts can do. Combined with Write and Edit permissions, this enables modification of any file and execution of any command.

highreflect-learn:L19,49-50,65,223,332

allowed-tools grants Write and Edit without scope restrictions. The skill modifies agent files, creates new skills, updates state files, and writes reflection outputs across the project and user home directory without limiting which paths can be modified.

highreflect-learn:L15,16,199-203,260-267

allowed-tools grants Read without scope restrictions. The skill reads conversation history, agent files, and state files without limiting which paths can be accessed. Combined with Bash execution, this enables reading sensitive files anywhere on the system.

highreflect-learn:L14,65,76

The skill executes Python scripts bundled in scripts/ directory (state_manager.py, signal_detector.py, metrics_updater.py, output_generator.py) without verifying their integrity or content. While these are bundled files, the skill's auto-approved Bash permission means any modifications to these scripts (or injection of new scripts) execute immediately without user approval. An attacker with write access to the skill directory can inject malicious code into these scripts.

highreflect-learn:L49-50,65,223,315-320

The skill modifies agent files, CLAUDE.md, and other configuration files using the Edit tool (lines 199-203). While the skill claims to 'ONLY add to existing sections' and 'NEVER delete', the Edit tool permission is unrestricted and the skill body does not enforce these constraints at the platform level. A malicious signal could instruct the skill to overwrite or delete critical files.

mediumreflect-learn:L199-203,296-298

The skill reads conversation history, agent files, and project memory files (MEMORY.md) with unrestricted Read permission. These files may contain sensitive information (API keys, credentials, private project details, user preferences). The skill stores this data in reflection output files (.claude/reflections/) and state files (~/.claude/session/) without encryption or access controls.

mediumreflect-learn:L14,260-267,271-281

allowed-tools grants Grep and Glob without scope restrictions. The skill can search and enumerate files across the entire filesystem to locate agent files, state files, and other targets.

mediumreflect-learn:L17,18