Skillv3.1.0

ClawScan security

Session Guardian — Never Lose a Conversation Again · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 21, 2026, 12:03 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's purpose (local session backup and recovery) is coherent, but there are several mismatches and defaults that could cause unexpected data disclosure or hidden LLM/network activity — review config and install scripts before installing.
Guidance: What to check before installing: 1) Inspect scripts/install.sh and scripts/*.sh yourself (or with a trusted admin) before running — install.sh will add cron jobs that run frequently and will read all session files under ~/.openclaw/agents. 2) Open and edit config.sh defaults before deployment: - Set DELIVERY_ENABLED=false (default is true) if you do not want any automatic push of summaries/backups to chat channels or external endpoints. - Ensure REMOTE_SYNC_ENABLED=false unless you deliberately want to sync backups to a remote host; if you do, provide and verify credentials securely. - If you want backups encrypted, set ENCRYPTION_ENABLED=true and configure GPG_KEY_ID before running. - If you do not want token/LLM usage, disable KNOWLEDGE_EXTRACTION_ENABLED and any SUMMARY_MODEL settings (SKILL.md's "zero token cost" claim is inconsistent with these enabled defaults). 3) Confirm required system tools are present (jq, rsync or rclone, gzip/pigz, cron) — the package scripts use jq and rsync-like behavior but the skill metadata declares no required binaries. 4) Run installation in a safe environment or test account first (to confirm behavior and verify no unintended pushes or remote syncs occur). 5) Audit the backup directory permissions (~/.openclaw/workspace/Assets/SessionBackups) and logs after a test run; verify backups are stored where you expect and not transmitted externally. 6) If you need stronger guarantees, ask the maintainer for minimal configuration examples that explicitly disable delivery/remote sync and LLM calls, and for a signed release or repository URL to verify provenance.
Findings: [pre-scan-injection-none] expected: Static pre-scan reported no injection signals. This does not contradict the concerns above (which come from configuration and defaults, not regex-detected malicious patterns).

Review Dimensions

Purpose & Capability: concernThe declared purpose (local backups, snapshots, health checks) matches the included scripts that read ~/.openclaw/agents/*/sessions and create local backups. However the repo also includes delivery/remote-sync/summary configuration (DELIVERY_ENABLED=true, REMOTE_SYNC_* options, SUMMARY_MODEL, KNOWLEDGE_EXTRACTION_ENABLED=true) that extend beyond pure local backups. SKILL.md claims "All backups stay local" and "Zero Token Cost", but config and scripts enable push/summary/extraction features that can call models or push data to external channels — this is an incoherence between claimed purpose and default capabilities.
Instruction Scope: concernSKILL.md instructs running install.sh which will configure cron jobs and run scripts that read all agent session files (~/.openclaw/agents/*/sessions). The instructions claim backups are local and non-networked, yet config.sh contains delivery and remote-sync settings and templates for SUMMARY_PROMPT_TEMPLATE and SUMMARY_MODEL (which imply LLM usage). The runtime instructions do not call out that daily summaries / knowledge extraction / delivery may send conversation data outside the machine if those features are enabled.
Install Mechanism: noteNo external download/install spec is declared and scripts are included in the package (no network fetch of arbitrary code). install.sh (present in repo) will modify crontab/OpenClaw cron and create directories under ~/.openclaw/workspace/skills/session-guardian and Assets/SessionBackups. This is expected for a backup tool but you should inspect install.sh before running because it will create scheduled jobs that run frequently (every 5 minutes / hourly / daily).
Credentials: concernRegistry metadata lists no required env vars or credentials, but config.sh defines many optional external integration fields (ALERT_WEBHOOK, REMOTE_RSYNC_HOST/USER/PATH, REMOTE_RCLONE_REMOTE, DELIVERY_CHANNEL/TARGET, GPG_KEY_ID, SUMMARY_MODEL). Defaults enable DELIVERY_ENABLED=true and KNOWLEDGE_EXTRACTION_ENABLED=true and set SUMMARY_MODEL to an external model name — meaning sensitive conversation content could be routed or summarized by external services if the defaults are left as-is. Additionally, scripts rely on tools (jq, rsync, gzip/pigz, find, cron) but the skill declares no required binaries — a mismatch that may cause failures or hidden behavior.
Persistence & Privilege: noteThe skill does not request 'always: true' and uses standard cron for persistence; that is expected for a backup tool. It will gain ongoing presence via scheduled jobs and access to all agent session directories under the user's home, which is proportional to its stated goal but increases blast radius (frequent automated reads of all sessions).