ClawHub

Session Guardian — Never Lose a Conversation Again

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local session backup tool, but it needs Review because it persistently reads broad conversation data and includes under-scoped summary, knowledge extraction, restore, and deletion behaviors.

Install only if you want an always-on local tool that can read all OpenClaw agent sessions. Before enabling cron or OpenClaw summaries, review scripts/config.sh, scripts/install.sh, scripts/health-check.sh, and scripts/knowledge-extractor.sh; consider disabling summary delivery, avoiding last-channel announcements, and changing cleanup so it quarantines or dry-runs instead of deleting active session files. Treat backups and Knowledge outputs as sensitive conversation archives.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (37)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The architecture documents centralized backup, collaboration tracking, and knowledge extraction across multiple agents, which expands the skill from session recovery into broad cross-agent observability and data aggregation. In a session-protection skill, this creates unnecessary collection and secondary use of conversation data, increasing privacy exposure and the blast radius of any compromise.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Tracking collaboration chains (for example, King → lead → member) is not necessary for basic session backup and recovery and effectively introduces monitoring of agent relationships and work history. Because the skill is positioned as resilience tooling, this extra visibility is easy to deploy without adequate scrutiny, making the mismatch in purpose more dangerous.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The changelog documents features that substantially expand the skill from session backup/recovery into collaboration tracking, knowledge extraction, and configuration repair. In a backup-focused skill, this kind of scope creep increases the chance of unauthorized data collection or unintended system modification, especially because these added capabilities touch sensitive session content and agent settings.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatic knowledge extraction from sessions is not clearly necessary for session protection and implies mining conversation content for secondary reuse. That creates a real risk of collecting sensitive operational details, credentials, or private deliberations into a durable knowledge base beyond the user's expected backup/recovery workflow.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Auto-repair of agent defaultModel configuration exceeds the stated purpose of session guarding and introduces an undocumented capability to modify agent behavior. Any feature that changes model configuration can alter security posture, routing, cost controls, or reliability, and is especially dangerous when bundled into a tool users may trust only for backup and recovery.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documentation recommends deleting agent session files with a broad find -delete command, which can permanently erase conversational state and forensic history. In a skill centered on session protection, encouraging direct destructive deletion without guardrails, confirmation, backup, or scoping validation materially increases the risk of data loss and operational disruption.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
Claiming automatic knowledge extraction and updates to MEMORY.md and AGENTS.md extends the skill from passive backup into active modification of long-lived context files. In a session-protection skill, that can silently persist, transform, or leak sensitive conversation content across agents or future sessions, especially because these files may influence later agent behavior.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script marketed as a health-check/recovery tool performs destructive deletion of session files when they exceed a size threshold. Although it copies files to a backup directory first, the deletion is automatic, non-interactive, and may erase active conversation state or fail to preserve data fully if backup paths are inaccessible or incomplete, making this a real integrity/availability risk in a session-protection skill.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script’s stated purpose is session backup, but it also archives cron run records, which broadens collection from conversation recovery into operational activity history. Cron run JSONL files may contain task metadata, prompts, outputs, or other sensitive execution traces, so this creates unnecessary data retention and increases exposure if the backup directory is accessed or exfiltrated.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script mines session content from agent directories and repurposes it into a knowledge base, which goes beyond the stated backup/recovery/health-monitoring purpose of the skill. Even without exfiltration, this broad secondary use of conversation data increases privacy risk and can expose sensitive cross-agent context to users or processes that should not access it.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The extract-all path iterates over every agent under ~/.openclaw/agents and aggregates data into a shared Knowledge directory, creating unintended cross-agent data mixing. In environments where different agents handle different projects, users, or trust levels, this can leak sensitive information across boundaries and make later access to that data much broader than the original session scope.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script advertises session backup/recovery capabilities, but the exposed behavior is only task-plan file management. In a security-sensitive recovery tool, this mismatch can mislead users into believing conversations are being protected when they are not, increasing the chance of silent data loss during crashes or restarts.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code implements create/update/list/show/archive/clean operations for markdown plan files rather than session protection, backup, or recovery. In the context of a skill marketed as guarding OpenClaw sessions, this is dangerous because operators may rely on it during failure scenarios and discover too late that no session state was preserved.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
Branding the tool as "Session Guardian v2.0" while the commands only create and manage task plan files is materially misleading. Users may make operational decisions based on false assumptions about backup coverage, which can directly contribute to unrecoverable loss of conversations or agent state.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script is packaged as part of a session protection and recovery skill, but this functionality only prints help text and performs superficial checks unrelated to backup, recovery, or actual runtime isolation enforcement. In a security-sensitive operational tool, this creates a false sense of protection that can lead operators to rely on controls that do not exist, increasing the chance of cross-session leakage or unrecoverable session loss after failures.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The 'validate' path claims to verify session isolation, but it only checks for the presence of text in AGENTS.md and counts or sizes of session files. This does not test whether agents can improperly read or mix sessions, so administrators may incorrectly conclude isolation is working when no real isolation guarantees have been checked.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The header comments and user-facing framing state that this is a 'session isolation check/validation' tool, but the implementation only performs shallow metadata and file hygiene checks. In the context of a skill marketed for conversation protection and recovery, misleading security claims are dangerous because they can directly influence incident response and data handling decisions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document describes automatic backups, health checks, collaboration tracking, and knowledge extraction but does not provide a user-facing warning about how conversation data may be copied, summarized, or repurposed. This is dangerous because session content often contains sensitive prompts, credentials, internal strategy, or personal data, and silent background processing can violate privacy expectations and compliance requirements.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Detailed collaboration recording is described without any warning that internal agent interactions may be logged, visualized, and retained. In this context, collaboration traces can expose sensitive task content, internal structure, and cross-session relationships that users may not expect to be stored.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The changelog advertises automatic extraction of best practices and common issues without warning that session content may be mined and persisted. Because sessions often contain confidential prompts, outputs, and operational context, silent reuse into a knowledge base creates a meaningful privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The markdown presents a destructive file-deletion command as routine operational guidance with no cautionary text, dry-run example, or recovery instructions. Users may execute it verbatim and unintentionally remove important session data, especially because the targeted path contains agent conversation state.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes automatic backup, summarization, collaboration tracking, and knowledge extraction of conversations without any visible warning about sensitive-data capture, retention, sharing boundaries, or storage locations. Because session data often contains secrets, credentials, proprietary code, and personal information, silent collection and transformation materially increases confidentiality and privacy risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installation flow enables recurring cron jobs but does not clearly warn that the skill will continue running in the background and repeatedly access or modify local session data. Persistent scheduled execution increases the blast radius of misconfiguration, causes ongoing data collection without fresh consent, and can surprise users who expect a one-time install.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Documenting restore functionality without warning that it may overwrite, roll back, or replace current session state can lead to accidental loss of newer data or reintroduction of stale context. In an agent environment, restoring old state may also resurrect sensitive information or outdated instructions that affect future actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises automatic cleanup and repair actions, including handling large session files and fixing missing configuration, without warning users that these actions may modify or delete state. For a persistence/backup tool, silent maintenance behavior is risky because it can destroy evidence, remove needed context, or alter system behavior in ways users did not explicitly approve.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal