session-history

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill serves and displays full local session files from ~/.claude/projects (showing complete messages), so any secrets embedded in those sessions would be read and output verbatim, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's frontend (assets/index.html) loads external JavaScript from https://cdn.jsdelivr.net/npm/diff2html/bundles/diff2html.min.js (and its CSS) and https://html2canvas.hertzen.com/dist/html2canvas.min.js at runtime in the user's browser, which executes remote code the UI relies on (diff rendering and image generation), satisfying the criteria for a runtime external dependency that can execute remote code.