Back to skill

Security audit

Session2blog Clawhub

Security checks across malware telemetry and agentic risk

Overview

This skill locally converts selected OpenClaw conversations into Markdown blog drafts, with privacy risk that is disclosed and aligned with its purpose.

Install only if you are comfortable letting the skill read selected OpenClaw conversations and save derived blog drafts locally. Review generated Markdown before sharing or publishing because redaction is best-effort and conversations may include secrets, personal data, internal paths, or project details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README presents the skill as a simple '/s2b' convenience feature but does not clearly warn, at the point of use, that it reads local conversation history and automatically writes derived content to disk. Because conversation history can contain sensitive prompts, internal code, secrets, or personal data, insufficient disclosure can lead users to invoke the skill without informed consent, causing unintended local data exposure or retention.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad enough to activate during ordinary conversation, which can cause the skill to read historical sessions and transform them into blog content without a strong explicit command boundary. In this skill context, that matters because the skill has permission to list/read past sessions and write derived content to disk, so accidental invocation can expose or persist sensitive conversation data the user did not intend to process.

Ssd 3

Medium
Confidence
87% confidence
Finding
The script prints the full extracted conversation to stdout before blog-generation instructions, which can expose sensitive user content to terminals, logs, wrappers, or upstream agents that capture command output. Although a redaction pass exists, it is heuristic and incomplete, so confidential material may still leak beyond the minimum necessary scope.

Session Persistence

Medium
Category
Rogue Agent
Content
"permissions":
              [
                "filesystem:read ~/.openclaw/sessions/**",
                "filesystem:write ~/.openclaw/session2blog/articles/**",
                "session:list",
                "session:read",
              ],
Confidence
86% confidence
Finding
write ~/.openclaw/session2blog/articles/**", "session:list", "session:read", ], }, "install": [], }, } --- # Session2Blog (s2b)

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.