Back to skill

Security audit

Claude Session

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Claude session-management skill, but it can rewrite or delete session history and can send or persist session contents in other systems without consistently strong user control.

Review this skill before installing. Use it only if you are comfortable giving it access to prior Claude session logs. Prefer dry-run modes, keep backups, avoid running destructive commands on the active session, and disable or avoid Serena sync, RAG dispatch, import pipelines, and automatic hooks unless you deliberately want those data flows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents capabilities that read, write, move, sanitize, repair, archive, and delete files under ~/.claude/projects, but it declares no permissions boundary. That creates a trust and review gap: users or platforms cannot accurately assess that the skill can modify or destroy session data before invocation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The documented behavior omits materially sensitive actions such as restarting the IDE/extension host and removing API error lines plus preceding user messages during repair. When destructive or privacy-relevant behavior is under-described, users may invoke the skill without informed consent and lose data they did not expect to be touched.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The `--sync` path expands a session-analysis skill into cross-system data propagation by extracting project knowledge and writing it into Serena memory. This creates an additional persistence and disclosure channel for potentially sensitive project context, increasing the blast radius beyond the stated analysis function.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill writes extracted project knowledge into Serena memory even though the primary purpose presented to users is session analysis. Persisting summarized project decisions, workflows, and hot files can leak sensitive internal information into another subsystem where access, retention, or later reuse may be broader than the user expects.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The archive skill expands a local file-management action into external receiver discovery, MCP inspection, and endpoint reachability checks. That materially broadens the skill's capability surface beyond archival and creates an unexpected pathway to interact with external systems, which can expose environment details and enable follow-on data handling not implied by the skill's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Requiring `curl`-based endpoint probing as part of a session archive flow introduces unnecessary network capability into an otherwise local operation. This can leak internal service topology, trigger outbound connections without user intent, and normalize network access in a context where it is not operationally required.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The topics table advertises a destroy capability ('Delete current session and restart IDE') at the point of discovery without an immediate, prominent warning about irreversible deletion. In a session-management skill, destructive actions are contextually plausible, which makes accidental invocation more likely unless strongly signposted.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The purge topic documents permanent deletion of 'dead sessions' without a prominent safety warning near the entry point. Because the heuristic for 'dead' sessions is simple, users may permanently remove sessions that still have value or were misclassified.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The import topic describes piping session data to other agents or systems but does not warn that session contents may contain sensitive prompts, secrets, paths, or personal data. This can lead to unintentional data exfiltration beyond the local session store.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The destroy command example presents a deletion command without an explicit irreversible-deletion warning at the point of use. Example blocks are high-risk because users often copy-paste them directly, so omission of warnings increases accidental data loss risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The purge section references a permanent deletion mode (--delete) without adequately emphasizing that data loss is irreversible. Given that the skill operates on stored session histories, this can cause bulk deletion of user records with limited user awareness.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow persists extracted project knowledge to Serena memory without any user warning, consent checkpoint, or review of the content being stored. That omission can cause unintentional long-term storage of sensitive codebase metadata, design decisions, or workflow patterns, creating privacy and confidentiality risks.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The instructions perform a destructive `mv` of session files and optionally append metadata to a ledger, but they do not require an explicit user confirmation at execution time or a clear warning that the session disappears from active listings and changes location. For a transcript-management skill, that creates a meaningful risk of accidental data relocation, confusion, and operational loss if users assume archival is non-destructive or easily discoverable afterward.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The document instructs users to run a destructive session-management command and notes the current conversation will end, but it does not present a clear warning immediately before invocation that the action will terminate the active session and trigger an Extension Host restart. In this skill context, the behavior is intentional and documented elsewhere, so the risk is mainly accidental invocation or surprise disruption rather than covert compromise.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The documented hook behavior triggers on generic bare words like 'session', 'rag', or 'qdrant', which can cause the hook to run during ordinary conversation rather than explicit user intent. In a session-management skill, unintended invocation increases the chance of leaking session metadata into prompts or system reminders and expands the attack surface for prompt-triggered side effects.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill routes session content based on simple keyword detection in the prompt, which can misclassify user intent or be influenced by incidental text. Because the selected pipeline controls which downstream agent receives conversation data, ambiguous matching can cause unintended disclosure or processing by the wrong agent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly describes delivering session data to other agents via a pipeline, but the quick-start flow does not require a prominent privacy warning or affirmative consent before transmission. Since session logs may contain secrets, personal data, or internal context, silent forwarding increases the risk of unintended data exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly includes deletion of session files and directories (`rm` / `rm -r`) for 'TINY' sessions, but it does not provide a prominent user-facing warning that this action is destructive and may be irreversible. In a session-management skill operating on `~/.claude/projects/`, users may underestimate the risk and approve deletions without understanding that conversation history and associated artifacts can be permanently lost.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The skill explicitly instructs moving session files and modifying internal cwd references, but it does not include a clear warning that these actions change files on disk and may relocate data or make sessions harder to recover if used incorrectly. While the behavior appears aligned with the skill’s stated purpose, the lack of an explicit impact warning increases the chance of accidental destructive use, especially when targeting multiple session IDs or project paths.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented repair step instructs users to delete lines from a live session file with sed after only minimal guidance, which can irreversibly remove valid conversation data or corrupt session structure if line numbers are wrong or file state changes. In this skill context, users are encouraged to operate on important persisted session history, so destructive manual edits without a prominent warning and safer transactional workflow increase the chance of integrity loss.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The split-repair procedure directly rewrites source and destination session files, updates parentUuid and sessionId, and appends/truncates content with no strong warning about overwrite, partial-write, or chain-corruption risk. Because these are persistent session artifacts, a mistake in indices, paths, or interrupted execution can permanently damage both sessions and destroy audit/history continuity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This script reads Claude session JSONL files from the user's home directory and prints extracted todo content directly to stdout without any warning, confirmation, or redaction step. Session todos can contain sensitive project details, secrets, internal URLs, or other confidential task text, so exposing them through terminal output, logs, or piping can unintentionally leak data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script overwrites the input session file in place, deletes or alters records, and only creates a sidecar .bak backup, but the usage/help text does not clearly warn users that the default mode is destructive. In a session-management skill, users may reasonably run the command expecting analysis or repair output, and accidentally modify or lose session history, especially if the backup is later overwritten or ignored.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents an operation that mutates session history and explicitly notes that the split behavior is counterintuitive, but it does not require a strong confirmation step or prominently warn that executing the command will permanently reorganize conversation data. In a session-management skill, this creates a realistic risk of accidental destructive action, especially when an agent or user assumes the split direction matches intuition.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This skill is explicitly designed to retrieve and summarize content from other Claude Code sessions, which can expose prior conversation data, secrets, or sensitive project context. Although the user invokes the feature intentionally, the instructions do not require a clear upfront privacy warning or explicit confirmation before accessing and displaying another session's contents, increasing the risk of unintended disclosure.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/batch-compress.py:28

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/repair-session.py:21