Publish Session Name Sync
WarnAudited by ClawScan on May 13, 2026.
Overview
The skill has a coherent session-name syncing purpose, but it contains an unsafe generated command pattern and gives the agent broad authority to rewrite session metadata and restart cc-connect.
Install only if you understand that this skill will read and modify Claude Code and cc-connect session metadata. Run it from trusted work directories, review any generated shell/Python commands, back up cc-connect state before register mode, and confirm daemon restarts or bulk changes manually.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill from a specially named or untrusted directory could execute unintended local code or break the sync command.
The WORK_DIR value is interpolated directly into Python code inside a shell command. A directory name containing quotes or code-like characters could break out of the string and cause unintended Python execution if the agent runs this command.
HASH=$(python3 -c "import hashlib; print(hashlib.sha256('${WORK_DIR}'.encode()).hexdigest()[:8])")Do not run generated commands blindly. The publisher should pass WORK_DIR as an environment variable or argument and read it as data in Python, rather than embedding it into source code.
A register operation could unexpectedly alter session listings/names, interrupt the Feishu connection, or change cc-connect behavior.
Register mode can stop a running daemon, rewrite cc-connect state, restore or change names, alter history counts, and change past_id_tracking. The text says to warn after restart, but the visible instructions do not require a separate user confirmation after showing the planned changes.
Stop daemon → make all changes in one atomic write (register + restore + mismatches + history + `past_id_tracking=False`) → restart daemon → warn user about 5-minute recovery delay.
Before running register mode, review the proposed changes, back up the cc-connect JSON file, and require explicit confirmation before daemon stop/restart or bulk writes.
Session titles or first-message snippets from local Claude Code history may be displayed or copied into cc-connect session metadata.
The skill reads local Claude Code session logs and may use the first user message as a fallback name. That is relevant to session naming, but those logs can contain private conversation content.
Scan all JSONL files in Claude Code project dir, extract custom-title/ai-title for each ... Read Claude Code title: grep for `custom-title` ... then `ai-title`, then first user message
Use this only for sessions whose names or first-message summaries you are comfortable exposing in cc-connect, and review generated names before syncing them.