ClawHub

Tide Watch

Security checks across malware telemetry and agentic risk

Overview

The skill is local and mostly purpose-aligned, but its session-changing features and conflicting backup/restore claims create real data-loss and privacy risks.

Install only if you are comfortable with a local CLI reading OpenClaw session files, discovering sessions across agents, and moving or deleting session-related files when you invoke those commands. Treat the advertised automatic backup/restore behavior as unreliable in this artifact; make your own backups before using archive, reset, restore, or cleanup workflows, and review any AGENTS.md or HEARTBEAT.md changes before applying them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document states that auto-backup is enabled by default, but later says auto-backup is 'coming soon'. This inconsistency can cause users to rely on backups that do not actually exist, increasing the chance of data loss during session resets or capacity events.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The guide provides concrete restore instructions and backup file locations as if backup functionality is available, while later indicating the feature is not yet shipped. That can mislead users into destructive workflows under the assumption that recovery is possible when it may not be.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document makes a strong safety claim that the skill is 'strictly monitoring-only' and uses only the built-in session_status tool, yet later describes writing memory files and backing up session data. This inconsistency can mislead reviewers and users about the actual capability surface, causing underestimation of file-write and persistence risks.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
Stating 'nothing is written to disk' while elsewhere describing workspace writes and backup creation is a material contradiction in a security assessment. If relied upon, this can bypass scrutiny of persistence, data retention, and accidental disclosure risks associated with archived session content.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The threat model says there is 'No filesystem tampering' while simultaneously acknowledging writes to the user's workspace and backup operations. Even if those writes are legitimate, denying filesystem effects weakens the threat model and may hide risks such as sensitive data accumulation, overwrite, or unintended persistence.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill claims backup/load, dashboard, reporting, and heartbeat-integrated behaviors as if they are available now, while later sections mark several of those same capabilities as future features. This kind of security-relevant misrepresentation can cause operators to rely on protections or workflows that do not actually exist, increasing the chance of unsafe resets, data loss, or overtrust in the skill's safeguards.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file contains internal contradictions about whether backup, reporting, dashboard, and heartbeat integration are present or still future work. Contradictory security/feature documentation is dangerous because users may install or invoke a mode assuming safer or more complete behavior than is actually provided, especially around backup and recovery operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installation steps instruct users to append content directly into AGENTS.md and HEARTBEAT.md, modifying persistent workspace control files without warning, review guidance, or backup steps. In an agent-driven environment, silently changing these files can alter future agent behavior and create hard-to-audit persistent effects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The configuration describes creating persistent backup files and automatically deleting them based on retention settings, but does not clearly warn users about local data storage and deletion side effects. This can expose sensitive conversation content on disk or lead to unexpected loss of forensic/history data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide documents automatic session backups, retention, compression, and on-disk backup locations, but it does not clearly warn users that potentially sensitive conversation content will be written to persistent storage. In a session-management skill, this can create unintended data-at-rest exposure, especially on shared systems or where backups are not encrypted, rotated, or access-controlled.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README promotes a very broad natural-language trigger, “Help me reset this session and preserve context,” that could overlap with ordinary user conversation and cause an agent to initiate backup/reset actions without an explicit, safety-scoped confirmation flow. In a skill that manages session state, ambiguous activation increases the chance of unintended destructive or state-altering operations.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The archive feature is documented as moving old session data but does not prominently warn that it modifies or relocates conversation files under the user's OpenClaw session storage. Users may invoke archiving without realizing it changes persistence state, which can lead to accidental data loss, confusion during recovery, or disruption of active workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The restore workflow is described without a clear warning that restoring a backup may overwrite or replace current session state. In a tool specifically handling conversational state, an uninformed restore operation can destroy newer work or revert a session unexpectedly, making this more dangerous than generic file restore documentation.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document normalizes automatic multi-agent discovery and cross-agent session aggregation as benign, but does not prominently warn users that running the tool by default exposes all of their own agent conversations in a unified view. In a session-monitoring skill, this increases privacy risk because sensitive prompts, notes, or secrets stored in one agent's sessions may become visible from another workflow or terminal unexpectedly.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manual invocation examples use very broad natural-language phrases like 'Check context usage' and 'Run session_status', which could accidentally trigger the skill during ordinary conversation. In an agentic environment, ambiguous activation language can cause unplanned inspection actions or chain into more sensitive workflows without explicit user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The reset workflow is tied to a broad phrase ('Help me reset this session and preserve context') even though the described action sequence includes backup and session reset, which are potentially destructive or state-changing. Without explicit confirmation gates and constrained invocation, an accidental or prompt-injected phrase could trigger backup, overwrite, or reset behavior at the wrong time.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The FAQ includes destructive uninstall and cleanup commands that recursively delete skill and session data, but it does not clearly warn that these deletions are irreversible. In documentation for agent skills, users may copy-paste commands directly, so omission of a warning materially increases the chance of accidental data loss.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples include destructive cleanup commands such as recursive archive deletion without an explicit warning that they permanently remove stored session data. In a documentation context, users often copy-paste commands directly, so omission of a data-loss warning materially increases the chance of accidental deletion.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The webhook example sends session-capacity report data to an external endpoint but does not warn that the JSON may contain session identifiers, channel names, or other metadata. Even though the command is commented as optional, it normalizes exfiltration of operational data to third parties without discussing trust boundaries or privacy implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The recovery instructions copy a backup over the active session file, which can overwrite newer session state and cause irreversible loss of current data if used incorrectly. Recovery documentation should explicitly warn that restore operations replace existing content and should encourage making a safety copy first.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The archiving routine performs destructive file operations by moving session JSONL files and rewriting `sessions.json`, which can permanently alter or hide active session state. In a security-sensitive agent environment, silent destructive state changes can cause denial of service, loss of auditability, or accidental tampering if triggered without strong confirmation and boundary checks.

Session Persistence

Medium
Category
Rogue Agent
Content
~/.openclaw/agents/main/sessions/*.jsonl           // Session files
~/.openclaw/agents/main/sessions/sessions.json    // Session registry

// Write access
~/.openclaw/agents/main/sessions/resume-prompts/*.md      // Resumption prompts
~/.openclaw/agents/main/sessions/archive/YYYY-MM-DD/     // Archived sessions
```
Confidence
82% confidence
Finding
Write access ~/.openclaw/agents/main/sessions/resume-prompts/*.md // Resumption prompts ~/.openclaw/agents/main/sessions/archive/YYYY-MM-DD/ // Archived sessions ``` **Code does NOT access:*

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal