ClawHub

Conversation Recovery

Security checks across malware telemetry and agentic risk

Overview

The skill’s purpose is coherent, but its local storage code does not validate session or snapshot IDs, which could let a crafted ID access or delete JSON files outside the intended folder.

Only install this if you are comfortable with local persistent conversation snapshots. Prefer a patched version that validates session and snapshot IDs before filesystem access, and review or delete stored recovery files if conversations may contain sensitive information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

If an agent or caller accepts a malicious session or snapshot ID, it may read, overwrite, or delete JSON files outside this skill’s intended recovery directory.

Why it was flagged

The storage path is derived directly from caller-controlled IDs, and the code performs read/write/delete operations without checking for path separators, normalizing and verifying containment, or restricting IDs to generated values.

Skill content
function getSessionPath(sessionId) { return path.join(SESSIONS_DIR, `${sessionId}.json`); } ... export async function deleteSession(sessionId) { ... await fs.unlink(filePath); }
Recommendation

Validate sessionId and snapshotId with a strict allowlist pattern, reject path separators and '..', resolve paths, and verify the final path stays inside the sessions or snapshots directory before any file operation.

#
ASI06: Memory and Context Poisoning
Low
What this means

Old conversation facts, tasks, or context may be reused later and could include private information or outdated assumptions.

Why it was flagged

The skill persistently stores summarized conversation state and optional raw context for later recovery, which is central to its purpose but can retain sensitive or stale information across sessions.

Skill content
Snapshot ... containing: Intents ... Facts ... Tasks ... context?: string ... Data is stored in JSON files at: ~/.openclaw/conversation-recovery/
Recommendation

Avoid storing secrets in recoverable context, periodically review or delete old sessions, and treat recovered facts/tasks as context to verify rather than unquestionable truth.