session-recorder

The code is a benign integration guide and helper scripts for exporting/importing and serving session logs, not obvious malware. However it contains multiple security risks that can lead to sensitive data exposure: posting logs to arbitrary webhooks (exfiltration), unauthenticated Flask API that serves logs, and unsafe SQL construction in both PostgreSQL and SQLite import scripts (potential injection or corruption). The redaction script is brittle and incomplete. Operational choices like git commit --no-verify increase risk of accidental secrets in commits. I recommend: do not enable the Flask API without authentication and network restrictions; do not send logs to external webhooks unless the URL is trusted; convert DB inserts to parameterized/prepared statements or use safe client libraries; avoid embedding raw JSON via shell expansion; and strengthen redaction or avoid exporting logs that may contain secrets. Overall: not malicious but moderate-to-high risk for data leakage if used without safeguards.

[Skill Scanner] [Documentation context] Installation of third-party script detected The skill's stated purpose (session recording + assistant self-reports) aligns with the capabilities described. There are no direct signs of remote exfiltration, obfuscation, or embedded malicious payloads in this manifest. However the skill captures potentially sensitive inputs (tool arguments, outputs, absolute project paths) and relies on local bash scripts whose contents are not provided, which increases supply-chain and information-exposure risk. Recommend reviewing the actual hook and helper scripts (scripts/add_assistant_response.sh and all hooks) for unsafe behavior, adding explicit redaction and access-control guidance for logs, and minimizing logged data (avoid logging secrets). LLM verification: [LLM Escalated] This skill's design and documentation are consistent with a legitimate session-recording purpose. The main risks come from executing local helper/hook shell scripts referenced by an environment variable (CLAUDE_PLUGIN_ROOT) and from logging potentially sensitive user or tool data (absolute paths, prompt text, tool outputs) to local JSON files. No evidence in the provided documentation indicates network exfiltration or credential forwarding, but the absence of the actual script contents prevents