Session Recall
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Session Recall appears to be a real transcript-search tool, but it can automatically search broad historical OpenClaw conversations across agents, which is sensitive and not consistently described.
Install only if you are comfortable with an agent searching past OpenClaw transcripts. Prefer using an explicit --agent and narrow time window, avoid broad all-agent searches, and treat recalled transcript text as historical context rather than trusted instructions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may inspect historical conversations from other local agents or unrelated workspaces, exposing private context beyond what the user expected.
When --agent is omitted, the list/search commands iterate over every discovered local agent session directory, not only the current agent.
SESSIONS_BASE = Path.home() / ".openclaw" / "agents" ... agents = [args.agent] if args.agent else discover_agents()
Default to the current agent only, require explicit user approval for cross-agent searches, and declare the session transcript path/capability in metadata.
Old private messages, sensitive details, or instructions embedded in prior transcripts could be reintroduced into a new task without the user realizing it.
The skill intentionally retrieves persistent historical conversation content and asks the agent to load it back into context, but does not define clear exclusions, consent boundaries, or instructions to treat recalled content as untrusted.
Search OpenClaw session transcript JSONL files to locate past conversations. Returns file paths and line numbers — read the relevant lines yourself to recover context.
Limit searches by default to a narrow time window/current agent, ask before reading sensitive or broad history, and instruct the agent not to treat recalled transcript text as authoritative instructions.
A user or agent may underestimate how much transcript history the skill can access.
The documentation contains conflicting privacy/scope statements: one says omitting --agent searches all, while another says it only searches the agent's own sessions by default.
`--agent` | Agent ID. Run `session-recall agents` to list available IDs. Omit to search all. ... - Only search your own agent's sessions by default
Remove the conflicting claim and make the default scope explicit, preferably defaulting to the current agent rather than all agents.
Installing the skill lets the agent execute the bundled local script to search transcripts.
The skill uses local Python command execution as its normal interface. This is purpose-aligned and the static scan reported no suspicious patterns, but it is still code the agent may run.
python3 SKILL_DIR/scripts/session-recall.py search "keyword" --agent AGENT_ID --start 7d --limit 20
Review the script source and install only from a trusted package/source.
If installed from the wrong or changed repository version, the local script could differ from the reviewed artifact.
The README suggests manually cloning a repository and copying it into the OpenClaw skills directory. This is common for manual installation, but it is not pinned to a commit in the artifact instructions.
git clone https://github.com/hchen13/session-recall.git ... cp -r session-recall ~/.openclaw/skills/session-recall
Install from a trusted, versioned source and verify the files match the reviewed package.