ClawHub

Session Recover

Security checks across malware telemetry and agentic risk

Overview

This skill can recover chat history, but it is too broad and may expose sensitive past conversations or hidden reasoning fields without clear safeguards.

Install only if you intentionally want an agent to read local OpenClaw session archives. Use it only for sessions you own, confirm the exact file or session key before running it, and redact secrets, private messages, internal reasoning, config values, and code before sharing any output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill broadens its purpose from recovering the current or previous session to allowing any user to retrieve arbitrary session transcripts. This creates an access-control and privacy problem because it enables cross-session disclosure of potentially unrelated or sensitive conversations beyond the minimum needed recovery scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The instructions explicitly tell the operator to extract `message.content[].thinking` from archived JSONL files. Internal reasoning content is especially sensitive and is not necessary for session recovery or summarization, so exposing it materially increases the risk of leaking hidden chain-of-thought, secrets, or other protected internal data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes recovering full session archives without any warning that the recovered material may contain sensitive personal data, credentials, proprietary code, or private reasoning artifacts. Missing disclosure and consent steps makes accidental overexposure more likely, especially when generating summaries from complete transcripts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The shell commands enumerate local session archives under the agent directory, revealing the existence and locations of sensitive historical data without any safety notice. Even listing archive files can disclose metadata about prior sessions and facilitates broader extraction of private conversation contents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script is explicitly designed to recover and print archived session contents, which can include sensitive conversation data, tool outputs, and internal reasoning markers. Because it emits this data directly with no warning, redaction, confirmation prompt, or access control, it increases the risk of inadvertent disclosure when run on shared systems or against the wrong session file.

Ssd 3

High
Confidence
96% confidence
Finding
The skill enables recovery and summarization of complete transcripts for current, previous reset, and arbitrary sessions. This is dangerous because summarization can launder sensitive raw history into natural-language output, making confidential user data, secrets, and private discussion content easy to exfiltrate or disclose.

Ssd 3

High
Confidence
99% confidence
Finding
The parser guidance tells users to extract both message text and thinking fields from archive files, which increases the chance of disclosing highly sensitive internal or user data. Combining full transcript parsing with hidden reasoning extraction creates a severe confidentiality risk not justified by the feature's stated purpose.

Ssd 3

Medium
Confidence
91% confidence
Finding
The output template explicitly asks for '关键上下文' including technical details, configuration values, and code snippets from recovered sessions. This encourages reproducing sensitive material verbatim in the response, increasing the risk that secrets, internal configs, or proprietary code are surfaced unnecessarily.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal