Is assistantheinrich-prog/session-health-monitor safe?

https://github.com/openclaw/skills/tree/main/skills/assistantheinrich-prog/session-health-monitor

86
SAFE

session-health-monitor is a context-window monitoring skill with no evidence of malicious behavior, data exfiltration, or hidden prompt manipulation — all scripts do exactly what they claim, network activity was limited to GitHub and Ubuntu infrastructure, and all canary honeypot files remained intact. The skill's two material risks are (1) setup-statusline.sh permanently installs a shell script in ~/.claude and patches settings.local.json without providing an uninstall path, and (2) the snapshot protocol instructs the agent to write session summaries to ~/.claude/memory files that persist into future sessions and could carry sensitive session data or be weaponized via a secondary prompt injection attack. Neither risk is currently exploited, but both represent non-trivial attack surface for a tool that modifies the Claude Code runtime environment.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 98/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (9)

MEDIUM Permanent modification of ~/.claude/settings.local.json -10

setup-statusline.sh injects a statusLine command into the user's Claude Code settings file using jq. The script backs up the original file before patching, but provides no automatic removal path. The injected command runs 'bash ~/.claude/session-health-statusline.sh' on every Claude Code statusline tick, indefinitely, even if the skill is subsequently removed.

MEDIUM Persistent shell script installed inside ~/.claude -8

setup-statusline.sh copies statusline.sh to ~/.claude/session-health-statusline.sh and marks it executable. This installs a persistent execution artifact inside Claude Code's configuration directory. The script's current content is benign (only reads stdin, writes a /tmp state file, and emits ANSI-colored text), but it constitutes a persistent shell hook running in a privileged configuration context.

LOW Agent instructed to append context-health footers to all outgoing messages -5

SKILL.md instructs the active agent to append a footer such as '63% Context Window | 1x compacted' to every outgoing message when context usage reaches YELLOW or above. This constitutes ongoing behavioral modification of the agent's response format based on an internal metric, applied unconditionally across all tasks.

LOW Snapshot protocol instructs agent to write session data to cross-session persistent memory files -15

SKILL.md directs the agent to periodically extract 3-5 key facts from the current session — including decisions made, files changed, and blockers — and write them to daily markdown files in ~/.claude/memory. These files are read by future Claude Code sessions as contextual memory, creating an indirect but real influence channel between sessions. Content written here is under the agent's (and therefore any attacker's) control.

LOW Session-derived facts written to persistent local memory files -10

snapshot.sh appends agent-provided session summaries to ~/.claude/memory/${today}.md. While no network exfiltration was observed and canary files are intact, these files accumulate session data — potentially including sensitive information visible in the session (credentials, API keys mentioned in conversation, internal file paths) — in a persistent local store readable by any process with user-level access.

LOW Cross-session memory persistence creates a latent prompt injection attack surface -8

Files in ~/.claude/memory are loaded into future Claude Code sessions as contextual memory. An adversary who can control content captured during a session — via a prompt injection attack on the user's project files, a malicious tool response, or social engineering — could cause the agent to write malicious instructions into these memory files, affecting all subsequent sessions indefinitely.

LOW Persistent Claude environment modifications not automatically reversed on uninstall -5

setup-statusline.sh modifies settings.local.json and installs a shell script that will continue executing after the skill package is removed. Users who install and then uninstall the skill must manually delete ~/.claude/session-health-statusline.sh and remove the statusLine key from settings.local.json to fully revert their environment.

INFO Network activity limited to expected infrastructure 0

All external network connections during install were to GitHub (140.82.114.3:443) for the git sparse-checkout clone and Ubuntu/Canonical servers (91.189.91.48:443) for OS update checks. DNS queries resolved only to github.com, fastly.net (CDN), and ubuntu.com infrastructure. No connections to unknown or suspicious endpoints were observed.

INFO All honeypot files confirmed intact post-install 0

The monitoring system reports all six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud/application_default_credentials.json) intact with no modifications or confirmed exfiltration. The isolated .env PATH record at audit(1771932941.162:5553) during the git-clone phase is attributable to the monitoring system's periodic integrity sweep rather than skill-initiated access, based on the systematic sweep pattern visible at 1771932929.418 and 1771932946.912.