claude-reflect

This installer adds local hooks that log nearly all tool activity (commands, file paths, timestamps) and stores these records unencrypted under workspace-hub/.claude/state (or $HOME/.claude). There is no network exfiltration or obfuscated payload in the provided code, so it does not appear to be malware in the traditional sense. However, it is privacy-invasive telemetry and a supply-chain risk: installing it into a repository will start collecting potentially sensitive developer activity and repository context. Treat this as a privacy/security concern: require explicit user consent, audit the stored logs, restrict file permissions, and review any automated uploads or subsequent tools that might read and transmit these logs.