ClawHub
Back to skill

Security audit

Session Reflect

Security checks across malware telemetry and agentic risk

Overview

This skill clearly works on local Claude Code sessions and Obsidian notes to create local reflection files, but it handles sensitive personal data.

Install only if you are comfortable with local analysis of Claude Code history and Obsidian notes, and with derived observations being saved into your Vault. Avoid running it on shared or synced vaults containing client data, credentials, health information, or other material you would not want consolidated into reflection reports; review generated files and delete any unwanted digests or profiles.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly describes reading local Claude session files and writing markdown output into an Obsidian Vault, yet it does not declare permissions for those capabilities. Missing permission disclosure weakens informed consent and makes the skill's access scope less transparent to users, especially because it processes private conversation history and notes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The documented purpose emphasizes reflective journal generation, but the behavior also includes broad session scanning, historical backfill, state tracking, and writing conversation-derived digests into the Vault. That mismatch is dangerous because users may consent to 'reflection' without realizing the tool performs sustained data collection and persistence over sensitive local history and personal notes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill says the agent analyzes both synced session digests and 'your own notes in the Vault,' but the description does not prominently warn that personal notes beyond Claude sessions are part of the analysis set. This expands the data boundary into potentially very sensitive material such as diaries, work notes, credentials accidentally stored in notes, or unrelated personal records.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to write a new reflection file into the user's Obsidian Vault after broadly reading recent conversation logs, personal notes, and prior observations, but it does not require an explicit confirmation step before modifying user data. In a privacy-sensitive journaling context, silent persistence of inferred behavioral or emotional analysis can create unwanted records, expose sensitive profiling, and surprise the user with side effects they did not knowingly approve.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly reads a local config to locate the user's vault, mines recent notes and conversation history, and writes a synthesized behavioral report, but it provides no consent prompt, sensitivity warning, or minimization guidance. In this context, the data is highly personal and inferential, so the absence of guardrails increases the risk of processing and persisting sensitive personal information without adequate user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to read the user's last 14 days of conversation history and personal notes, then synthesize latent preferences and behavioral patterns without any visible consent, minimization, or privacy warning. This creates a real privacy risk because highly sensitive inferences can be derived from combined records and persisted to disk, expanding exposure beyond the original conversations.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The tool writes extracted Claude session content into the user's Obsidian vault during sync/backfill without a fresh, explicit warning or confirmation at execution time. Because session logs can contain sensitive prompts, internal reasoning, project names, or partially redacted secrets, this behavior can unintentionally persist private data into a broadly indexed note store, increasing exposure and retention risk in the exact skill context of journaling/exporting session history.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to read and analyze broad portions of the user's Obsidian Vault, including conversation history and personal notes, which are likely privacy-sensitive. Although the skill mentions respecting privacy and avoiding secrets in output, it does not require an explicit warning or fresh user confirmation before accessing and synthesizing potentially intimate data, creating a real over-collection and privacy-exposure risk.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to collect and summarize user notes and recent conversations into a natural-language drift report, which can surface sensitive personal details, inferred priorities, and behavioral patterns in a persistent file. Because the report is written into the vault, it can amplify exposure by consolidating scattered sensitive content into a single easily discoverable summary.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill directs the agent to aggregate private conversation records and personal notes, infer sensitive psychological and behavioral traits, and write the resulting assessment into a persistent report file. In the context of a reflection skill, that behavior is functionally aligned with the feature, but it remains dangerous because it performs profiling and durable storage of sensitive derived data that could later be exposed, misused, or accessed by other tools.

Session Persistence

Medium
Category
Rogue Agent
Content
git clone https://github.com/yuiooo1102-droid/session-reflect.git ~/coding/session-reflect

# Or install as Claude Code command
mkdir -p ~/.claude/commands/reflect
cp commands/reflect/*.md ~/.claude/commands/reflect/
```
Confidence
78% confidence
Finding
mkdir -p ~/.claude/commands/reflect cp commands/reflect/*.md ~/.claude/commands/reflect/ ``` ### 2. Initialize ```bash python3 ~/coding/session-reflect/extract_sessions.py init # You will be prompte

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal