claude-code-sessions
Warn
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Accesses sensitive local files located in
~/.claude/projects/. These JSONL files contain the full history of Claude Code sessions, which frequently include source code, configuration secrets, and other private information handled during development. - [COMMAND_EXECUTION]: Instructs the user to execute local code via
bun run uiand various CLI modules (lib/session-parser.ts,lib/session-store.ts). This includes starting a local web server on port 3000, which exposes session data through an HTTP interface on the local machine. - [EXTERNAL_DOWNLOADS]: References and utilizes code from an external GitHub repository (
github.com/apappascs/claude-code-sessions) which is not explicitly linked to the stated vendor. This repository provides the core logic for parsing and managing the session data. - [PROMPT_INJECTION]: Vulnerable to indirect prompt injection because it ingests and processes untrusted data from past session files. If a previous chat session contains malicious instructions, the agent could potentially be influenced when searching, summarizing, or analyzing that session history.
- Ingestion points: Reads JSONL files from the
~/.claude/projects/directory. - Boundary markers: None identified in the provided documentation to distinguish between session content and agent instructions.
- Capability inventory: Includes file deletion capabilities (
/session-delete), network server hosting (ui/server.ts), and context recovery generation. - Sanitization: No evidence of sanitization or filtering of session content before processing.
Audit Metadata