AI Agent Session Security Auditor — scan Claude Code session logs for credential leaks, dangerous commands, prompt injection, and data exfiltration.
Analyzes JSONL session transcripts from Claude Code (and compatible agents) to detect security concerns that might otherwise go unnoticed. Zero dependencies.
AI coding agents run commands, read files, and write code on your behalf. Their session logs contain everything they did — including any security mistakes:
- Credentials printed in output (API keys, tokens, private keys)
- Sensitive files accessed (.env, .ssh, AWS credentials)
- Dangerous commands executed (sudo, rm -rf, pipe-to-shell)
- Prompt injection in tool outputs (malicious content from fetched pages)
- Data exfiltration attempts (webhooks, ngrok tunnels, pastebins)
sessionaudit catches these automatically.
curl -O https://raw.githubusercontent.com/kriskimmerle/sessionaudit/main/sessionaudit.py
chmod +x sessionaudit.py
pip install sessionauditRequirements: Python 3.9+
# Audit all Claude Code sessions (default location)
sessionaudit
# Audit a specific session file
sessionaudit ~/.claude/projects/my-project/session-abc123.jsonl
# Recursive scan of all sessions
sessionaudit ~/.claude/ -r
# Only show HIGH and CRITICAL
sessionaudit --severity HIGH
# JSON output
sessionaudit --json
# CI mode: exit 1 if HIGH or CRITICAL findings
sessionaudit --check| Rule | Severity | What It Detects |
|---|---|---|
| SA01 | CRITICAL | Credential exposure — API keys (GitHub, OpenAI, Anthropic, AWS, Slack, npm, PyPI), private keys, JWTs in session content |
| SA02 | HIGH | Sensitive file access — .env, .ssh, credentials, certificates, password files, cloud configs |
| SA03 | CRIT/HIGH/MED | Dangerous commands — sudo, rm -rf /, pipe-to-shell, reverse shells, crontab, systemctl, launchctl |
| SA04 | HIGH | Prompt injection — "ignore previous instructions", identity overrides, system prompt injection in tool outputs |
| SA05 | CRITICAL | Data exfiltration — webhook.site, ngrok, requestbin, pipedream, burp collaborator, DNS exfiltration |
| SA06 | MEDIUM | Excessive tool usage — >100 tool calls per session (possible runaway agent) |
| SA07 | MEDIUM | Permissive mode — session ran with unrestricted tool access |
| SA08 | HIGH | Path traversal — ../../../ sequences indicating directory escape |
| SA09 | HIGH | Suspicious URLs — known exfiltration/callback endpoints |
| SA10 | MEDIUM | Obfuscated content — large base64 strings that may contain hidden payloads |
═══════════════════════════════════════════════════════════════════════════
🔒 Agent Session Security Audit
Sessions: 5 Messages: 342 Tool calls: 187 Findings: 4
═══════════════════════════════════════════════════════════════════════════
🔴 CRITICAL [SA01] Credential exposure: GitHub PAT
session: abc123.jsonl
Found 1 instance(s) of GitHub PAT. Redacted: ghp_a1b2...x9y0
🟠 HIGH [SA03] Dangerous command: Sudo command execution
session: def456.jsonl
Found 2 instance(s) of 'Sudo command execution' in session.
🟡 MEDIUM [SA06] Excessive tool usage
session: ghi789.jsonl
147 tool calls. Top: Bash(52), Read(41), Write(28), Grep(16)
───────────────────────────────────────────────────────────────────────
Summary:
CRITICAL: 1
HIGH : 1
MEDIUM : 2
⚠ CRITICAL findings require immediate investigation.
| Agent | Default Location |
|---|---|
| Claude Code | ~/.claude/projects/<project-hash>/*.jsonl |
| Claude Code (history) | ~/.claude/history.jsonl |
- name: Audit agent sessions
run: python sessionaudit.py ~/.claude/ -r --check- Not real-time monitoring — analyzes logs after the fact
- Not a firewall — doesn't block agent actions, only reports
- Pattern-based — may have false positives on codebases that discuss security topics
MIT