Skillv0.2.1

ClawScan security

Session Reflect · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 6, 2026, 5:10 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally coherent: it locally reads Claude Code session files and an Obsidian Vault, generates reflection markdown files, and stores state under ~/.config — it does not request external credentials or show signs of exfiltration in the provided code/instructions.
Guidance: This skill appears to do what it says: locally extract Claude session content and analyze your Obsidian notes to produce reflection journals. Before installing/running: 1) Review extract_sessions.py yourself (it's included) to be comfortable that no unexpected network/upload calls are present; 2) Be aware the tool reads your entire Vault and recent Claude sessions — if you store secrets or sensitive data there, redact or move them first (the script attempts regex-based redaction, but that is not foolproof); 3) If you follow the optional 'git clone' install step, treat that repository like any third-party code (review it first); 4) Back up your Vault before initial backfill; 5) Consider when/if you allow the agent to invoke this skill autonomously, since autonomous use + access to your notes increases impact. If you want higher assurance, run the included script in an isolated environment or inspect/modify the sanitization rules to match your threat model.

Review Dimensions

Purpose & Capability: okName/description (session analysis → Obsidian) match the code and SKILL.md: the script discovers ~/.claude/projects/*.jsonl, extracts user messages, sanitizes them, and writes markdown into the user-specified Obsidian Vault. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteInstructions explicitly tell the agent to read both auto-synced '对话记录' and the user's Obsidian notes (recent files) to produce analyses. This is coherent with the stated purpose, but it means the skill will read arbitrary user notes (which may contain sensitive material). The script implements regex-based redaction and truncation, but regex redaction is not perfect — users should assume the tool can see any plaintext stored in the Vault and in Claude session files.
Install Mechanism: okNo install spec is embedded in the skill bundle; it's instruction-only and includes the python script. SKILL.md suggests a git clone from a GitHub repo if the user wants, which is normal but optional. The included code contains no network calls or download behavior. Note: running the optional git clone would fetch external code and should be treated like any third-party repository.
Credentials: okThe skill requires no environment variables, credentials, or privileged config paths. It reads files under the user's home directory (~/.claude/projects, the Obsidian Vault) and stores state under ~/.config/session-reflect, which are proportional to its function.
Persistence & Privilege: noteThe skill is not marked always:true and doesn't request elevated system privileges. It writes its own config/state under ~/.config/session-reflect and creates folders inside the user-specified Vault — this is expected. Because model invocation is allowed (default), the agent can invoke the skill autonomously; combined with the skill's access to personal notes, that increases potential blast radius, but this is a normal platform behavior rather than a specific flaw in the skill.