Session History

Type: OpenClaw Skill Name: session-history Version: 1.0.0 The `scripts/search_sessions.py` file appears benign, performing its stated function of searching OpenClaw session transcripts within expected directories (`~/.openclaw/agents/*/sessions/`) without evidence of malicious intent or direct vulnerabilities like path traversal or arbitrary code execution. However, the `SKILL.md` file contains an instruction for the AI agent: 'If `sessions_history` doesn't work (old/closed sessions), read the JSONL file directly with `read`'. While the script itself outputs paths strictly within the OpenClaw session directories, this explicit instruction to use a generic `read` tool, combined with the script outputting full file paths, introduces a prompt injection vulnerability. An attacker could potentially leverage this instruction to trick the agent into reading arbitrary sensitive files if they can manipulate the agent's context or subsequent prompts, even if the initial paths from the script are safe. This constitutes a risky capability without clear malicious intent, classifying it as suspicious.