Session Archive Manager
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is mostly aligned with session cleanup, but it can modify or delete OpenClaw data, install a recurring cron job, and run hardcoded scripts from outside the reviewed skill package.
Install only if you are comfortable with local scripts rewriting, moving, compressing, and deleting OpenClaw data. Before running it, verify the hardcoded /root/.openclaw paths, check whether the external workspace scripts exist, review the cron schedule, and back up your sessions, memory, and logs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If those workspace files are missing, the skill may fail; if they exist and differ from the reviewed package, the skill may execute unreviewed local code.
The main bundled script invokes hardcoded files in /root/.openclaw/workspace rather than the reviewed scripts/ copies included in the skill package.
TRIM_SCRIPT="/root/.openclaw/workspace/session_trimmer.py" ... if [ -f "/root/.openclaw/workspace/archive_with_summary.sh" ]; then /root/.openclaw/workspace/archive_with_summary.sh
Use paths relative to the skill directory for bundled scripts, or clearly install and verify the external workspace scripts before invoking them.
Session files can continue being archived or deleted in the background on an hourly schedule, which may surprise users expecting one-time or daily operation.
The setup script creates a persistent cron task that runs every hour, keeping the archive behavior active after the initial user action.
CRON_JOB="0 * * * * $SCRIPT_PATH >> $CRON_LOG 2>&1" ... echo "定时任务已设置为每小时运行一次"
Require explicit user confirmation before installing cron, document the exact schedule, provide an uninstall command, and default to less frequent or manual operation.
Users could permanently lose OpenClaw memory or log data while trying to clean up session files.
A script advertised as session cleanup deletes OpenClaw memory markdown files, not just session archives, and does so without a backup or confirmation step.
MEMORY_DIR="$OPENCLAW_DIR/memory" ... OLD_MEMORY=$(find "$MEMORY_DIR" -name "*.md" -type f -mtime +$DAYS_TO_KEEP) ... echo "$OLD_MEMORY" | xargs rm -f
Limit cleanup to session-owned archive files by default, add dry-run and confirmation options, and clearly document any deletion of memory or logs.
Session summaries may retain sensitive filenames, commands, or conversation context even after the original session is trimmed or archived.
The summarizer extracts file references and full command strings from session history into local summary JSON files.
"files_accessed": [], "commands_run": [], ... self.summary["commands_run"].append(args["command"])
Review generated summaries, protect the summaries directory, and avoid running this on sessions containing secrets unless retention is acceptable.