session-search

This skill's capabilities are consistent with its stated purpose (searching and retrieving past sessions). It legitimately needs read access to the SQLite DB and legacy JSON files and provides useful local tools and SQL examples. However, there are moderate security concerns: (1) session_get can forward full session contents to an external TTC compression service when TTC_API_KEY is present — the TTC endpoint and privacy handling are unspecified, creating a potential exfiltration/credential risk; (2) examples include REST API DELETE operations and direct DB access which, if executed by an automated agent without explicit user authorization, could mutate or remove sensitive data; (3) semantic search (lss) may rely on external embedding providers, which also risks sending session content externally. These flows are proportionate to the tool's purpose only if executed interactively by a trusted operator and if external services are trusted and documented. I recommend requiring explicit confirmation for any destructive commands, documenting the TTC endpoint and privacy policy, offering an option to disable external compression/embedding, and minimizing the default scope of data sent externally.