Back to skill

Security audit

Session Archiver

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it silently archives chat transcripts, writes derived memory, deletes old memory files, and modifies future agent instructions without clear opt-in controls.

Install only if you deliberately want automatic background retention of OpenClaw conversations. Before enabling it, review the exact files it will read and write, decide whether sensitive sessions should be excluded, inspect the AGENTS.md change, confirm the 30-day deletion policy is acceptable, and make sure you know how to disable the cron/startup behavior and purge archived memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
74% confidence
Finding
The skill describes behavior that depends on environment/system capabilities such as scanning session directories, using cron, and writing memory files, yet no permissions are declared. This creates an undeclared trust boundary: users and reviewers are not clearly informed that the skill accesses local session data and performs automated file operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose says the skill archives completed sessions to daily memory, but the document also states it extracts separate insight reports, deletes old memory files, and modifies AGENTS.md automatically. That mismatch is dangerous because it hides materially different behaviors: persistence/analysis of conversation data, data deletion, and self-installation into workspace startup flow.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script self-modifies AGENTS.md to add workflow instructions unrelated to simple session archiving. A skill that persistently alters the workspace's instruction file can change future agent behavior and create hidden persistence, which is more dangerous because the stated purpose is only archival, not policy or workflow management.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
In addition to archiving, the script derives and stores separate 'insight candidate' files containing preferences, decisions, lessons, and corrections for future reuse. This expands data collection beyond the declared archival function and creates a secondary persistent memory artifact that can influence later agent behavior or expose sensitive user traits.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Automatically modifying a workspace instruction file is not justified by a session archiver's purpose and introduces unauthorized behavior change in the user's environment. Because AGENTS.md can shape future agent actions, this acts like persistence and instruction injection rather than simple data processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states that conversation content is archived automatically and silently, including user and assistant messages, with 'zero awareness' to the user. Silent retention of transcript content without a clear consent and privacy warning can expose sensitive prompts, personal data, credentials, or proprietary information to unintended persistence.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents automatic deletion of memory files older than 30 days, but does not present a clear warning or confirmation path for the user. Automated deletion can cause irreversible loss of notes, audit trail, or information the user expected to keep.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill says it will automatically detect and append integration content into AGENTS.md on first run, without manual action. Silent modification of workspace control/configuration files is risky because it changes future agent behavior and persistence model without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script appends full user and assistant content into persistent memory files without any user-facing notice, consent, or opportunity to review what will be retained. This is dangerous because transcripts often contain secrets, personal data, and sensitive operational context that become silently persisted beyond the original session.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script changes AGENTS.md automatically and silently, modifying user workspace files without confirmation. Silent workspace mutation is risky because it can create lasting behavior changes, surprise the user, and make later agent actions follow instructions the user never knowingly approved.

Ssd 3

High
Confidence
97% confidence
Finding
The skill instructs automatic, silent archiving and retention of user and assistant conversation content into memory files. In context, this is especially dangerous because the source material is session transcripts, which commonly contain sensitive operational details, personal data, secrets, and internal reasoning-adjacent content that users may not expect to be re-persisted.

Ssd 3

High
Confidence
96% confidence
Finding
The skill goes beyond storage and analyzes archived conversations to extract reusable preferences, decisions, lessons, and workflow changes into review files. This profiling/derivation step increases privacy and security risk because it creates durable behavioral summaries from user interactions that can reveal sensitive patterns, internal processes, or policy-relevant preferences.

Ssd 3

Medium
Confidence
90% confidence
Finding
The script intentionally extracts snippets from user and assistant messages and persists them into a new review artifact, which can duplicate sensitive session content into another file with a different retention and access pattern. In a session-archiving skill, this is more dangerous because the whole function is to process transcripts, so private prompts, secrets, or confidential operational details may be surfaced and retained beyond the original session data.

Ssd 3

Medium
Confidence
97% confidence
Finding
The script persistently stores substantial user and assistant conversation text with only limited metadata stripping and no content-level secret or PII redaction. In the context of a session archiver, this is especially sensitive because transcripts commonly include credentials, personal information, proprietary code, and incident details, all of which become long-lived local records.

Ssd 3

Medium
Confidence
94% confidence
Finding
The review file extracts and preserves inferred user preferences, decisions, lessons, and corrections for future reuse, creating a behavioral profile from prior conversations. Even if intended to help, this increases privacy risk and can bias future agent behavior using retained personal or strategic context the user did not explicitly approve for long-term memory.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.