Skillv0.2.1

ClawScan security

DEPRECATED - Bobo Session Cleanup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 6, 2026, 12:49 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and instructions match its stated purpose (cleaning local OpenClaw session files); nothing in the package tries to reach out to external systems or request unrelated credentials.
Guidance: This skill appears to do what it claims: scan OpenClaw session directories and help you delete orphan or stale .jsonl files. Before running any destructive steps: 1) Run the scan as instructed and inspect the JSON report; 2) Back up the sessions directory (or move files instead of rm) in case of mistakes; 3) Note that the script uses node and bash — install them if missing; 4) The SKILL.md shows rm commands that will delete files under ~/.openclaw by default — prefer moving/archiving and double-check paths or set OPENCLAW_STATE_DIR / OPENCLAW_AGENT_ID if your state is elsewhere; 5) This skill is deprecated — consider migrating to session-cleanup-pro per the README.

Purpose & Capability: okName/description match the provided files: a scanner script and policy for cleaning session .jsonl files under the OpenClaw state directory. No unrelated credentials, network hosts, or extra binaries are required by the code.
Instruction Scope: noteSKILL.md prescribes a safe workflow (scan → show report → ask user → apply). It includes example rm commands for deleting orphan .jsonl files — expected for a cleanup tool but inherently destructive. The script itself (scan mode) is read-only and only prints a JSON report; deletions are manual per the instructions. Ensure user confirmation and backups before applying deletions.
Install Mechanism: okNo install spec (instruction-only plus a script). No downloads or archive extraction; the only runtime requirement is that node and bash are available for the included script to run.
Credentials: noteThe script optionally reads OPENCLAW_STATE_DIR and OPENCLAW_AGENT_ID (defaults to $HOME/.openclaw and 'main') — appropriate for locating local session files. No secrets or external credentials are requested. Minor inconsistency: SKILL.md metadata lists required bins (bash, node) but the registry metadata shows no required binaries.
Persistence & Privilege: okalways is false and the skill does not request persistent/privileged system presence. It does not modify other skills or system-wide settings.