find-claude
Fail
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
setup.shscript fetches the Bun installer fromhttps://bun.sh/installand clones theepisodic-memoryrepository from GitHub (github.com/obra/episodic-memory.git) to provide semantic search functionality. - [REMOTE_CODE_EXECUTION]: The
setup.shscript installs Bun by piping its installation script frombun.shdirectly to a shell. It also executesnpm installandnpm linkwithin the clonedepisodic-memoryrepository to install the tool and its dependencies. - [COMMAND_EXECUTION]: The skill executes local shell commands using
bunand theepisodic-memoryCLI to build search indexes, perform queries, and sync embeddings. These operations are managed via thesetup.shandsearch.tsscripts. - [DATA_EXFILTRATION]: The skill reads sensitive Claude Code conversation history logs stored in
~/.claude/projects/. Theindex-sessions.tsscript parses these files to extract metadata, such as user messages, file paths, and PR links, to populate a local index file at~/.claude/session-index/index.json. - [PROMPT_INJECTION]: The skill's process of reading and summarizing past conversation histories presents a surface for indirect prompt injection if the logs contain malicious instructions.
- Ingestion points: Reads
.jsonlsession files from the local filesystem (File:index-sessions.ts). - Boundary markers: No explicit markers or instructions to ignore embedded commands are used during indexing or search result synthesis.
- Capability inventory: Executes shell commands and external search utilities via
child_process.spawn(File:search.ts). - Sanitization: Relies on JSON parsing and regular expressions for data extraction.
Recommendations
- HIGH: Downloads and executes remote code from: https://bun.sh/install - DO NOT USE without thorough review
Audit Metadata