Ai Session Analysis
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: ai-session-analysis Version: 0.1.1 The skill is a local analytics utility designed to aggregate and visualize usage statistics from AI coding assistants (Claude Code, Codex, and Kimi Code). It reads session logs and transcripts from local directories (~/.claude, ~/.codex, ~/.kimi) to generate terminal reports and a self-contained HTML dashboard using Chart.js. While it accesses sensitive conversation history and shell logs, all processing is performed locally, and the scripts (analyze.py, generate_report.py, tool_analysis.py) contain no network exfiltration logic or unauthorized execution capabilities. The SKILL.md includes appropriate security warnings advising the user not to share the generated HTML report due to the sensitive data it contains.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your local coding-assistant history, including project names, file paths, commands, and usage patterns, may appear in reports or summaries.
The skill intentionally reads persistent local AI-assistant session records and can generate an HTML file containing sensitive work-history metadata. This is aligned with the stated purpose, but users should treat the outputs as private.
Scripts read directly from these paths... `~/.claude/projects/*.jsonl` | Full transcripts... `~/.claude/history.jsonl` | User input history... The HTML report (`generate_report.py`) embeds your session data directly — file paths, shell commands, project names, and tool usage patterns.
Run it only on machines and accounts where you are comfortable analyzing all matching session history, and do not share generated reports or raw output without reviewing them first.
A user could share terminal output believing it is only aggregate data, accidentally exposing sensitive commands, searches, or project context.
The documentation's safe-to-share claim is contradicted by code that prints raw sample shell commands and web-search queries, which can contain private paths, secrets, repository names, or work details.
SKILL.md: "The terminal-based scripts (`analyze.py`, `tool_analysis.py`) only print aggregate statistics and are safe to share." / scripts/tool_analysis.py: "print(f\"\n Sample commands:\")" ... "print(f\" $ {cmd[:150]}\")" and "for q in searches[:3]: print(f\" \\\"{q}\\\"\")"Treat terminal output as potentially sensitive too; the author should revise the Security Note or redact raw examples before printing.
The scripts can read local session files and write a report file when run.
The skill asks the agent or user to execute bundled local Python scripts. This is central to the skill's purpose and the provided code is stdlib-only, but it still runs with the user's local file permissions.
python3 ~/.claude/skills/ai-session-analysis/scripts/analyze.py python3 ~/.claude/skills/ai-session-analysis/scripts/tool_analysis.py python3 ~/.claude/skills/ai-session-analysis/scripts/generate_report.py [output.html]
Run the scripts intentionally, review their outputs before sharing, and use an output path you control for the HTML report.