ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Session Tools

v0.1.0

Manage Claude Code sessions: lookup ID, search, import, summarize, analyze, classify, compress, delete, repair, and rename sessions accurately.

0· 31·0 current·0 all-time
byes6kr@drumrobot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the provided scripts and docs: the skill reads, summarizes, repairs, compresses, renames and deletes local Claude session JSONL files under ~/.claude/projects and calls MCP tools for analysis/import. However, some claimed behaviors (e.g., "Sensitive information is automatically filtered") are asserted in docs but I found no code implementing robust filtering; also the skill instructs registration via npx (runtime package download) which is outside the narrow local file-management expectation and should be justified.
!
Instruction Scope
SKILL.md and the included scripts instruct the agent to read and modify session JSONL files in the user's home (~/.claude/projects), append custom-title records, move/delete files (destroy), and rewrite files (dedup/repair). Import pipelines and compress/summarize operations can deliver session content to other agents or Serena memory (mcp__serena__write_memory or Task-tool pipelines). Those actions legitimately belong to a session-management skill, but they can transmit arbitrary conversation content (which often contains API keys, tokens, or other secrets). The docs claim automatic filtering of sensitive info, but I found no corresponding implementation in the provided scripts, so the agent could unintentionally exfiltrate secrets.
Install Mechanism
There is no formal install spec (instruction-only), which reduces supply-chain risk. However docs instruct registering the claude-sessions-mcp via UTCP and show an npx-based command (npx -y claude-sessions-mcp) for runtime registration; using npx will fetch and execute remote npm code at runtime. That behavior is not codified in a declared install step and represents a moderate supply-chain risk if the remote package is untrusted.
!
Credentials
The registry metadata declares no required env vars or credentials, which is consistent with local file operations. But the skill expects (and can call) external MCP services and Serena memory, which typically require service endpoints/credentials that are not declared. More importantly, the skill's import/pipeline features can transmit session contents (potentially including secrets) to other agents or external storage — yet the skill does not require or document explicit safeguards or credentials for those targets. The claim that sensitive information is "automatically filtered" is unsubstantiated in the code.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request system-wide persistent privileges. It does modify files in the user's ~/.claude workspace (expected for this kind of tool) and restarts the extension host when deleting sessions; those are within scope and documented. No 'always: true' or similar elevated privileges are requested.
What to consider before installing
This skill is coherent with the described purpose (managing local Claude session files) but carries data-exfiltration and supply-chain risks you should understand before installing: - Review pipelines: The "import" and pipeline features can send full session contents to other agents or to Serena memory. Sessions often contain secrets (API keys, tokens, private config). Do not run import/pipeline functions unless you trust the target agent/service and have inspected what will be sent. Prefer dry-run or --analyze-only modes first. - Validate the filtering claim: The docs say sensitive data is filtered, but I couldn't find code that reliably strips secrets. Assume session content may include secrets unless you verify filtering logic yourself. - Inspect scripts locally: The skill includes bash/python scripts that will modify files under ~/.claude/projects (dedup, repair, destroy, rename). Back up important sessions before running destructive commands; the skill already performs some backups, but manual backups are recommended. - Be cautious with npx/UTCP registration: The docs show using `npx -y claude-sessions-mcp` to register an MCP tool — that will download and run remote npm code. Only do this if you trust the npm package and its source. - Test in a safe environment: If possible, run the skill on non-sensitive test sessions or inside an isolated account/container first. - Ask the author or maintainer: Request explicit documentation of what data is sent in import pipelines, what filtering is applied, and any credentials required by the MCP/Serena calls. If those answers are missing, treat pipeline features as high-risk. If you want, I can (a) highlight the specific lines/files to inspect further (summarize-session.py, any code that constructs pipeline Task tools, and whether summarize/export code truncates or filters tokens), or (b) produce a checklist of safe-run steps before using each subcommand.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dpjgvj21zjrzqtr5wpq6crn841ds0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments