Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
Claude Session
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill mostly matches its Claude session-management purpose, but it can register an unpinned helper and make broad changes to private Claude conversation files, so it deserves careful review.
Install or use this only if you are comfortable giving it access to your Claude Code session files. Review and pin the claude-sessions-mcp dependency, run dry-runs before bulk actions, back up ~/.claude/projects, avoid arbitrary paths for batch compression, and redact secrets before importing sessions or syncing them to memory.
Static analysis
Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A changed or compromised latest npm package could run with access to your Claude session history.
Why it was flagged
The skill can register an MCP server by running an unpinned npm package through npx. That package would be used for session operations and could access or modify Claude session files.
Skill content
"command": "npx", "args": ["-y", "claude-sessions-mcp"]
Recommendation
Use a vetted and pinned version of claude-sessions-mcp, review the package source, and avoid automatic registration unless you trust the package.
What this means
If pointed at the wrong directory, it could rewrite or delete many non-session JSONL files, causing broad data loss or corruption.
Why it was flagged
The helper accepts an arbitrary root path, recursively processes all JSONL files, and replaces originals in non-dry-run mode. Optional cleanup flags can also delete or rename sidecar JSONL files.
Skill content
python batch-compress.py <path> # Recursively find *.jsonl in path + dedup ... os.walk(root) ... os.replace(dedup_path, jsonl_path)
Recommendation
Run only in dry-run first, restrict it to intended Claude session directories, and make a separate backup before allowing recursive writes.
What this means
Important session history could be deleted if the automatic classification is wrong or if execute mode is used too broadly.
Why it was flagged
The classification workflow can delete or extract-then-delete sessions when the user chooses the execute mode. This is aligned with the skill purpose, but it is high-impact because classification may be imperfect.
Skill content
/session classify --execute # execute immediately after classification ... mcp__claude-sessions-mcp__delete_session({ project_name: "<project>", session_id: "<id>" })Recommendation
Run classification without --execute first, review the table, and back up session files before deleting.
What this means
Running the script executes bundled Python code, including the dynamically loaded helper.
Why it was flagged
This dynamically executes a local helper module from the skill's scripts directory. It appears to be local helper loading rather than hidden remote execution, but it explains the static scan warning.
Skill content
spec.loader.exec_module(mod)
Recommendation
Review the bundled scripts before running them, especially before allowing writes to session files.
What this means
Sensitive or incorrect information from prior conversations could be stored and reused in later work.
Why it was flagged
The optional --sync flow extracts project knowledge from session content and writes it to Serena memory, creating persistent reusable context.
Skill content
mcp__serena__write_memory({ memory_file_name: "project-knowledge-{safe-project-name}.md", content: "<formatted-markdown>" })Recommendation
Use --sync only after reviewing the extracted content, and avoid storing secrets, credentials, or unverified instructions in memory.
What this means
Private conversation content, including possible tokens or secrets mentioned in a session, may be copied into another agent's context.
Why it was flagged
The import workflow can pass fetched session content to another agent selected by the user. The file also notes that sensitive information should be reviewed manually before import.
Skill content
subagent_type: "{specified agent}" ... <session_context> {fetched session data} </session_context>Recommendation
Import only sessions you have reviewed, redact sensitive content first, and choose the receiving agent explicitly.