Skillv1.1.1

ClawScan security

Openclaw History Viewer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 1:20 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code generally matches a local history viewer/backup purpose, but there are unexplained or undocumented file-modifying operations (delete endpoints) and uncertainty about how the HTTP server binds/network exposure — review those before installing.
Guidance: This skill largely does what it says: starts a local web server to view OpenClaw session files and can create backups. Before installing or running it, do the following: 1) Inspect the remainder of history_server.py (the truncated portion) to confirm whether the HTTP server binds only to localhost (127.0.0.1) or to all interfaces — you should ensure it binds to localhost if you don't want remote access. 2) Search the code for any POST/DELETE endpoints or handlers that expose delete_session or file-write operations via HTTP; if present, confirm whether they require authentication or are intentionally disabled. 3) If you plan to run it, run as your regular (non-root) user and not on a publicly routable interface; consider using firewall rules or an SSH tunnel if you need remote access. 4) Backup scripts write to ~/.openclaw/workspace/history/ and create/modify backup_index.json; if you keep sensitive data, review those files and permissions. If you are not comfortable auditing the full server code (especially missing parts), treat this as potentially risky and avoid running it on production or multi-user machines.

Review Dimensions

Purpose & Capability: okName/description match the files: scripts read ~/.openclaw session files, present a local web UI, and provide backup scripts. Access to those local paths is necessary for the stated purpose.
Instruction Scope: concernSKILL.md instructs running the included Python server locally and backup scripts; however the server code contains a delete_session function (deletes session files and .reset. backups) that is not documented in SKILL.md. The runtime instructions claim local-only access (localhost) but do not show or verify the server's bind address or any access control/authentication. That combination (undocumented destructive actions + unclear exposure) is a scope and safety concern.
Install Mechanism: okNo external install/downloads or package installs; skill is instruction-only with bundled Python scripts. Nothing is pulled from arbitrary URLs. Files run locally, so risk is limited to local file operations.
Credentials: noteThe skill reads and writes only to OpenClaw data directories under the user's home (~/.openclaw) and a backup workspace (~/.openclaw/workspace/history), which is proportionate. It does modify files (backups, backup_index.json) and may delete session files; these write/delete permissions are expected for backup tooling but should be explicit and confirmed by the user.
Persistence & Privilege: okSkill does not request persistent platform privileges (always=false). It runs as a local process and stores backups under user's home; no modification of other skills or global agent settings detected in provided files.