Back to skill

Security audit

Session Archive Manager

Security checks across malware telemetry and agentic risk

Overview

This skill appears to manage OpenClaw session history, but it has broad destructive and persistent behavior that users should review before installing.

Review this skill carefully before installing. Only use it if you explicitly want automated session retention, summarization, and possible deletion. Prefer manual one-shot use, avoid enabling cron unless you need it, back up session files first, and inspect any generated summaries for sensitive commands, paths, or credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and instructs shell execution plus file-modifying operations, but does not declare permissions or constraints. In an agent ecosystem, undeclared write/shell capabilities reduce transparency and can cause the agent to perform filesystem changes the user did not explicitly authorize.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is session archival, but the analyzed behavior reportedly also deletes files in other directories and modifies crontab, which are materially broader and more persistent actions. This mismatch is dangerous because users may consent to session maintenance without realizing the skill can affect logs, memory files, retention periods, and scheduled execution.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata promises intelligent trimming and summarization, but the implementation only moves, compresses, and later deletes session files. This mismatch is security-relevant because users may invoke the skill expecting safe space management while it actually performs destructive retention actions on potentially important conversation history.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script deletes archived session files older than 30 days, which goes beyond a plain 'archive old sessions' expectation and creates irreversible data loss risk. In the context of session management, archived files may contain important audit trails, user history, or recovery data, so silent deletion materially increases danger.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script invokes an external Python program from a separate workspace path with root-owned session data as input, creating a trust-boundary violation. If that Python file is modified, replaced, or is less trusted than this script, it can read or exfiltrate sensitive session contents or execute arbitrary code in the context of this archival job.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The summarizer persists sensitive operational details from sessions, including file paths, key actions, and full executed commands, into a new reusable summary artifact. Session logs often contain secrets, internal paths, credentials in command lines, or security-sensitive workflow details, so copying them into derived summaries increases data exposure and retention beyond what is necessary for basic archiving.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script establishes a persistent hourly cron job, which goes beyond one-time session archival and creates ongoing scheduled execution on the host. In a skill context, persistence is security-relevant because it can continue running without future user awareness and can be abused if the target script is later modified or replaced.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Modifying the user's crontab gives the skill durable execution capability that is broader than ordinary session-file management. Even if intended for maintenance, this expands the skill's authority and creates a persistence mechanism that could be leveraged to run arbitrary code from the referenced path on a recurring basis.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill describes trimming and rewriting original session files, which is destructive behavior, but does not present a strong, prominent warning or consent step before modification. This increases the risk of accidental data loss, especially because session histories may contain important context and the action is framed as routine maintenance.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text uses broad trigger phrases such as general references to archiving or cleaning sessions, which may cause the skill to activate during ordinary conversation rather than through deliberate user intent. In a skill that performs file deletion, rewriting, and automation setup, over-broad activation materially raises the chance of unintended destructive actions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script permanently removes archived files older than 30 days without confirmation, backup, or prominent warning, making accidental loss of session records likely. Because this skill is triggered for routine storage cleanup, users may run it in benign maintenance scenarios without realizing it includes irreversible deletion.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script destructively rewrites the original session file and deletes the local .bak copy automatically, with no interactive confirmation, dry-run mode, or integrity verification. In a session-management skill, this is more dangerous because the tool is explicitly intended to operate on valuable conversation history, so accidental invocation, wrong-path input, or unexpected parsing behavior can cause irreversible data loss on disk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script applies a persistent system scheduling change immediately, without any confirmation prompt or dry-run output. Silent persistence is dangerous in agent skills because users may not realize they have granted ongoing execution, increasing the chance of unexpected resource use or abuse if the archive script changes later.

Ssd 3

Medium
Confidence
95% confidence
Finding
The tool systematically extracts and persists conversation metadata, participant identifiers, file references, tool activity, and command text from entire session histories into a searchable summary file. This broad secondary collection meaningfully expands retention and discoverability of potentially sensitive user data, making accidental disclosure, overexposure to other tools/users, and long-term privacy leakage more likely.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
如果看到 `.lock` 文件,先删除:
```bash
rm -f ~/.openclaw/agents/main/sessions/*.lock
```

### 权限问题
Confidence
81% confidence
Finding
rm -f ~/.openclaw/agents/main/sessions/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.