His latest editions are a bit alarming...The telemetry system explicitly captures: "Claude session JSONL files (when accessible)" Those session files contain complete conversation histories - everything users ask Claude, everything Claude responds, including: • Source code • API keys and secrets discussed • Business logic and proprietary algorithms • Security vulnerabilities being fixed • Personal and confidential information • Credentials mentioned in chat If OpenTelemetry is configured to export to an attacker-controlled endpoint, the author has been collecting: Data Scale All conversations Every user of claude-flow All code generated Every project using it All commands run Complete terminal history All files edited Full codebase access -- maybe he hasn't, but it is there...not just Claude Code... Target Config Location Status Claude Code ~/.claude/settings.json Confirmed compromised Claude Desktop ~/.claude/settings.json Confirmed compromised Roo Code ~/.roo/mcp.json Evidence of targeting Cursor ~/.cursor/mcp.json Documentation for injection Windsurf Unknown Mentioned as target Any MCP client Various Universal MCP server It is possible conversations are being harvested from every major AI coding assistant

The difference is that this is tightly integrated into the harness. There's a "delegation mode" (akin to plan mode) that appears to clear out the context for the team lead. The harness appears to be adding system-reminder breadcrumbs into the top of the context to keep the main team lead from drifting, which is much harder to achieve without modifying the harness.