claude-devtools-inspector
Fail
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill documentation details how the tool accesses highly sensitive files, including the user's SSH configuration (
~/.ssh/config) and private keys (~/.ssh/id_rsa), to monitor remote sessions. Access to private keys is a critical security risk. - [EXTERNAL_DOWNLOADS]: Users are instructed to install software from untrusted sources, including a non-verified GitHub repository (
github.com/matt1398/claude-devtools) and an unverified Homebrew cask. - [COMMAND_EXECUTION]: The documentation provides commands for the user to execute that modify filesystem permissions (
chmod 755 ~/.claude) and bypass macOS security features (xattr -d com.apple.quarantine) for unverified applications. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting untrusted session logs from
~/.claude/sessions/and~/.claude/projects/. Malicious content within these logs could influence the tool's behavior or the agent's analysis. - Ingestion points: Reads session log files (JSONL) and project memory markdown files from the local filesystem.
- Boundary markers: There are no instructions or delimiters provided to ensure the agent ignores or sanitizes embedded instructions within the logs.
- Capability inventory: The tool performs local filesystem reads, starts a local network server (port 3456), and accesses SSH credentials.
- Sanitization: No mention of validation or sanitization of external log content before it is processed or displayed.
Recommendations
- AI detected serious security threats
Audit Metadata