ClawHub

Openclaw History Viewer

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its history-viewing purpose, but it should be reviewed because it serves private chat logs over an unauthenticated web server and includes an under-disclosed delete API.

Install only after reviewing the server behavior. Use it on a trusted single-user machine, prefer foreground execution, bind to 127.0.0.1 if you run it, stop it when finished, avoid the delete API unless you fully understand the data loss risk, and treat exports/backups as sensitive copies of your conversations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation instructs users to run a local web server, read chat history files, expose them via HTTP endpoints, and create persistent backups, but it declares no permissions. That mismatch is dangerous because users and policy engines cannot accurately understand that the skill accesses sensitive conversation data, writes copies to disk, and opens a network service.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is history viewing/export, but the finding indicates the skill also supports permanent deletion of session files and backup metadata through an API and UI. Hidden destructive capability is high risk because a user invoking a viewer may not expect data loss, and any exposed delete route against sensitive history materially increases integrity risk.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script performs persistent write operations by creating backup copies of session files and updating a backup index, which exceeds the skill's stated purpose of merely viewing/browsing chat history. Because the data being copied is chat history, this behavior increases the amount of sensitive data stored on disk and broadens the privacy and data-retention footprint if the skill is invoked unexpectedly or without clear user consent.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Maintaining an additional backup index and storing extra copies of session data introduces unnecessary persistence beyond core history viewing. While not inherently malicious, this expands the attack surface by creating more locations where sensitive conversation content and metadata can accumulate and later be exposed or mishandled.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This history-viewing server includes deletion logic that permanently removes active session files, reset backups, and manual backup files, which exceeds the declared browse/view/export purpose of the skill. Because this destructive capability is exposed through the same web service, a user or webpage reaching the local server can trigger irreversible data loss with no meaningful safeguards.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The POST /api/delete endpoint performs permanent file deletion without any authentication, authorization, or origin validation. In the context of a local history viewer, this is especially dangerous because any process or potentially a malicious website interacting with localhost could delete chat history and backups, causing irreversible loss of potentially important records.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly documents API endpoints that return and export full chat session data, but provides no warning that these records may contain sensitive prompts, credentials, personal data, or internal context. In a history-viewing skill whose core purpose is exposing archived conversations over HTTP, omission of privacy and access-control guidance materially increases the risk of accidental data disclosure.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to overlap with ordinary conversation about chat history, making accidental activation more likely. In this skill, accidental invocation is more dangerous than usual because activation starts a service that exposes sensitive local chat records and possibly backup data.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The natural-language startup section promises that the assistant will 'automatically' start the service for several ambiguous phrases without clarifying security consequences. This increases the risk of unintended service launch and exposure of chat contents through the UI and JSON API.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description emphasizes convenience features but omits a clear warning that the browser UI and API expose full chat history and message contents, which may include sensitive prompts, tool outputs, and secrets. Lack of disclosure undermines informed consent and makes accidental exposure more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manual backup instructions tell users to copy session data into a separate persistent directory but do not clearly warn that this creates additional retained copies of sensitive conversation history. Extra copies increase the attack surface, persistence window, and chance of later unintended disclosure.

Session Persistence

Medium
Category
Rogue Agent
Content
### 🔙 后台启动

```bash
nohup python3 ~/.openclaw/skills/openclaw-history-viewer/scripts/history_server.py > /tmp/history.log 2>&1 &
```

## 功能特性
Confidence
83% confidence
Finding
nohup

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal