Session Tools

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent session-management tool, but it can read, forward, persist, rewrite, move, and delete Claude conversation history with weak safety gates.

Install only if you intentionally want a tool that can operate over your Claude session history. Before using import, summarize, analyze --sync, classify --execute, destroy, repair, compress, or bulk cleanup, verify the exact project/session, back up important sessions, and avoid forwarding or persisting sessions that may contain secrets, credentials, private prompts, or sensitive business context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (15)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that sensitive information is automatically filtered, but every documented pipeline example forwards fetched session conversation/data directly to downstream agents without showing any redaction or filtering step. This creates a false sense of safety and can lead operators to transmit secrets, private prompts, or internal context to other agents under the assumption that sanitization already occurred.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly exposes a destructive action ('destroy' / delete current session and restart IDE) but the main documentation does not clearly state that the action can permanently remove session data or that recovery may be impossible. In a session-management skill, users may invoke commands from the quick reference without opening the detailed guide, so the lack of an immediate warning increases the chance of accidental data loss.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The optional `--sync` path persists session-derived project knowledge into Serena memory without an explicit user warning, confirmation step, or data-minimization guidance. Session analysis can include sensitive context such as file paths, workflow patterns, decisions, and other metadata, so silently converting transient session data into longer-lived memory increases the risk of unintended retention and later disclosure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill includes direct instructions to delete sessions and perform bulk cleanup of empty/invalid sessions, but it does not require an explicit confirmation step immediately before destructive actions or provide a strong data-loss warning at the point of execution. In an agent skill, this creates a real risk of unintended irreversible deletion if the operator misclassifies sessions, passes --execute casually, or runs the bulk cleanup path without understanding the consequences.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This skill explicitly documents a destructive action that deletes or moves the active Claude Code session and notes that the current conversation will end, but it does not require an explicit confirmation step or strongly warn users to verify the active session before running it. In practice, users may invoke it from the wrong project or at the wrong time, causing unintended loss of active work, disruption of ongoing tasks, and confusion during recovery even though a backup is created.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Routing based on simple keyword presence in the prompt is ambiguous and can select an unintended downstream pipeline when those words appear incidentally in user text or imported session content. Because the selected target determines where session data is sent, misrouting can cause unintended disclosure of conversation context to the wrong agent or processing path.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill description says it delivers session data to other agents/skills but does not provide a clear user-facing warning or consent checkpoint before transmission. Since session data may contain sensitive prompts, system context, or business information, the lack of an explicit disclosure increases the chance of accidental over-sharing.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs the agent to read user messages from session files to infer content and generate a title, but it does not require user notice, consent, or minimization. This creates a privacy risk because sensitive content from prior conversations may be accessed and then reflected in a session title, which is a more visible metadata field.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This section gives concrete destructive repair commands that delete or rewrite session data, but it does not require an explicit confirmation step or prominently warn that conversation history can be permanently altered. In an agent skill context, that increases the chance an automated or hurried user follows the steps and unintentionally loses data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The recovery procedure directly rewrites one session file and appends modified records into another, which can irreversibly change conversation history if the split index or target session is wrong. Because the instructions are framed as a recovery recipe without a prominent caution or confirmation requirement, they create a meaningful risk of operator-induced data corruption.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The script performs a state-changing file move on Claude session data without any confirmation, dry-run, or explicit target verification. In a developer tool context, this can cause unintended loss of active session state or disruption of workflows, especially because it automatically selects the latest .jsonl file rather than asking the user to confirm the exact session.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs the agent to retrieve and summarize content from other sessions, which can expose private conversation history, secrets, or sensitive project context if the user does not fully understand the scope of access. Although the feature appears intended for productivity, the absence of a prominent consent/privacy warning and confirmation step makes unintended disclosure plausible.

Ssd 3

High

Confidence: 97% confidence
Finding: The skill explicitly describes grepping local Claude session JSONL logs for arbitrary keywords drawn from prior user messages and file paths, then returning matching session IDs. This creates a retrieval mechanism over historical conversation data that can expose sensitive prompts, file names, and other previously shared information across sessions without clear authorization or scope boundaries.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The instructions tell Claude to extract user messages from the session file and use that content to create output written back to disk as a title. Because titles are concise summaries and may be displayed in listings or UIs, sensitive details from the conversation can be unintentionally disclosed or persisted in a more prominent place than the original messages.

Context Leakage

High

Category: Data Exfiltration
Content: See [profanity-cleaner.md](./profanity-cleaner.md) for details. ### 4. Extract Conversation Content (Using Script) ```bash ~/.claude/skills/session/scripts/summarize-session.py <project_name> <session_id> [limit]
Confidence: 95% confidence
Finding: Extract Conversation

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal