Session Archive

Security checks across malware telemetry and agentic risk

Overview

This plugin openly saves OpenClaw chat history to a local SQLite database, which is sensitive but matches its stated purpose.

Install only if you want conversations and usage metadata saved locally. Treat the SQLite database as sensitive: restrict local file access, consider whether backups should include it, and delete or rotate it according to your retention needs. Avoid using it for chats containing secrets unless local long-term transcript storage is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (12)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README prominently advertises real-time archival of complete conversation messages, including content and metadata, but does not present a clear upfront consent/privacy warning before enablement instructions. In an agent/plugin context, archived conversations may contain secrets, personal data, credentials, tool outputs, and sensitive operational history, so users could enable the plugin without fully understanding the data-capture scope and retention risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill states that it automatically archives conversation messages to a SQLite database and auto-enables after installation, but it does not clearly warn users that their chats will be persistently stored on disk. This creates a privacy and consent problem because users may disclose sensitive information without realizing it is being retained locally and potentially exposed to other local users, backups, or malware.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code persists full session messages, operation history, and token usage to a local SQLite database under the user's home directory, including potentially sensitive content such as prompts, tool activity, account identifiers, file paths, and media paths. There is no indication in this code of consent, minimization, encryption, retention controls, or access restrictions, so sensitive conversational and operational data may be silently retained and exposed to other local users, malware, backups, or forensic inspection.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: This engine persistently stores session messages, operation details, token usage, account identifiers, message IDs, tool names, and media paths without any visible consent, minimization, redaction, retention, or access-control checks in this code path. In an agent skill context, archived conversational content can include secrets, personal data, and sensitive operational metadata, so broad logging materially increases privacy and data-exposure risk if the database is accessed improperly or retained longer than necessary.

Missing User Warnings

High

Confidence: 97% confidence
Finding: This plugin persistently archives every conversation message, including user and assistant content, to a local SQLite database in real time via hooks, and the code shows no consent prompt, disclosure, redaction, or opt-in control before collection. Because chat transcripts can contain credentials, personal data, proprietary business information, and tool outputs, silent retention materially increases privacy, compliance, and data-exposure risk if the host is multi-user, compromised, backed up, or the database file is later accessed by other software.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The manifest explicitly advertises real-time archival of conversations and operations to SQLite, which creates a meaningful privacy and retention risk if users are not clearly warned and given control over collection. In an agent/plugin context, archived conversations may contain credentials, personal data, internal prompts, or operational secrets, so failing to disclose retention behavior materially increases the chance of unsafe deployment.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The engine persistently stores full session messages plus metadata such as session identifiers, channel, accountId, tool name, and media path. In an agent context, this can capture sensitive prompts, secrets, personal data, and operational traces without any consent, minimization, or visibility controls shown here, increasing privacy and breach impact if the archive is accessed or retained improperly.

Missing User Warnings

Low

Confidence: 77% confidence
Finding: The code stores assistant token-usage telemetry tied to session identifiers and model information, and may estimate usage even when no API usage data exists. While lower sensitivity than full message content, this still creates undisclosed behavioral telemetry that can reveal activity patterns, model usage, and session linkage in ways users may not expect.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The plugin is explicitly designed to archive every conversation message to a local SQLite database in real time, but this file shows no consent flow, notice, opt-in, redaction, or data-minimization controls. That creates a privacy and sensitive-data retention risk because prompts, secrets, personal data, and tool outputs may be stored persistently without user awareness.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The plugin description and behavior indicate systematic persistent retention of all conversation content, which is risky because conversations often contain sensitive personal, business, or credential material. Even if stored locally, broad transcript retention increases exposure from local compromise, backups, multi-user systems, or unintended later reuse.

Ssd 3

Medium

Confidence: 96% confidence
Finding: This hook captures all user messages before the agent responds, meaning raw user input is persistently stored regardless of whether the request succeeds or is later filtered. That broad pre-response capture is dangerous because users commonly place secrets, API keys, personal data, and regulated content directly into prompts.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The agent_end hook archives the full message set, including assistant, system, and tool content, creating comprehensive transcripts that may include hidden prompts, tool arguments/results, file paths, and other sensitive operational data. This is more dangerous in agent/plugin context because tool outputs can contain secrets or privileged internal information not intended for long-term retention.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal