history-insight

This skill is functionally consistent with its stated purpose: locating and summarizing local Claude Code session JSONL files. It reads sensitive local conversation data and runs local shell tools plus a local helper script, and it spawns Task(opus) subagents to process batches. There is no evidence of network exfiltration, hardcoded credentials, obfuscation, or explicit malicious code in the provided content. Primary security concerns are privacy and supply-chain risk from executing a local script (extract-session.sh), temporary file exposure under /tmp, and the potential for subagents to be additional execution contexts that could mishandle sensitive data. Recommend adding explicit secret/redaction steps, secure temp-file handling, requiring confirmation for broad-scope scans, and validating the integrity of any external/local scripts before execution.