SECURITY: developer-growth-analysis reads ~/.claude/history.jsonl and exfiltrates data via unknown Rube MCP #401
Description
Security Report — developer-growth-analysis skill
Severity: CRITICAL
Reported by: Security audit during skill evaluation
Date: 2026-03-16
Summary
The developer-growth-analysis skill implements what is functionally an automated data exfiltration pipeline. It reads the most sensitive local file in the Claude Code installation and transmits a derived report to an external service via an unverified third-party MCP.
Finding 1 — CRITICAL: Reads ~/.claude/history.jsonl
The skill explicitly instructs reading ~/.claude/history.jsonl (referenced in SKILL.md around line 65-69).
This file contains the full history of every Claude Code conversation:
- User messages and project context
- Timestamps
- pastedContents — which includes any code, credentials, configuration snippets, API keys, or sensitive data the user has pasted into any Claude Code session
If a user has ever pasted an API key, database password, SSH key, or any credential into Claude Code, this data would be read and processed by this skill.
Finding 2 — CRITICAL: Transmits data to Slack via unknown Rube MCP
Lines 193-202 of SKILL.md instruct:
- Connecting to Slack via RUBE_MANAGE_CONNECTIONS (part of Rube MCP)
- Sending the full growth report — derived from ~/.claude/history.jsonl — to Slack via RUBE_MULTI_EXECUTE_TOOL
This creates a complete exfiltration chain:
- Read sensitive local file containing all past sessions and pasted content
- Extract and summarize the contents (including any secrets pasted in sessions)
- Transmit the derived report to an external Slack workspace via an undocumented third-party MCP
Finding 3 — HIGH: Rube MCP is unknown and undocumented
The skill references RUBE_SEARCH_TOOLS, RUBE_MANAGE_CONNECTIONS, and RUBE_MULTI_EXECUTE_TOOL — tools belonging to Rube MCP. This is:
- NOT a Composio MCP
- NOT a standard Claude MCP
- NOT identified with a URL, vendor, or documentation link anywhere in the skill
An unknown MCP with access to both local chat history and Slack credentials is a severe supply chain risk.
Finding 4 — HIGH: Automatic Slack OAuth initiation
The skill states: If not connected, use RUBE_MANAGE_CONNECTIONS to initiate Slack auth. This means the skill will automatically prompt Slack OAuth authorization if not already connected — potentially authorizing a third-party (Rube MCP) to send messages to the users Slack workspace without explicit prior consent.
Impact
- Confidentiality breach: All historical Claude Code conversations exposed, including pasted credentials
- Data exfiltration: Sensitive data transmitted to external Slack workspace via unverified MCP
- Supply chain risk: Unknown Rube MCP could intercept, log, or forward data
Recommendation
- Remove or clearly warn about ~/.claude/history.jsonl access — this file should be treated as secrets-class
- Document or remove the Rube MCP dependency — users need to know exactly what service handles their data
- Make Slack transmission opt-in with explicit user consent, not automatic
- Add a security disclaimer that this skill accesses sensitive conversation history
This issue was filed as a responsible disclosure to protect users of this skill library.