Openclaw Dual Cleanup

Security checks across malware telemetry and agentic risk

Overview

This cleanup skill appears purpose-aligned, but it can delete OpenClaw session/cache files with broad matching and optional unattended force-mode automation.

Install only if you want local OpenClaw session/cache deletion. Run dry-run first, review the exact files, avoid force mode until validated, do not run as sudo/Administrator unless necessary, and do not enable cron/startup/heartbeat automation until the deletion scope and backups are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (19)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises executable behavior including environment access, file reads, and shell/script execution, but does not declare any permissions. That creates a transparency and trust failure: users or hosting systems cannot accurately gate or review what the skill is allowed to do before it performs destructive cleanup actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented purpose is narrowly framed as session cleanup, but the described behavior extends to cache cleaning and searching multiple generic OpenClaw-related directories using broad filename heuristics. This mismatch is dangerous because users may authorize a limited maintenance task while the skill deletes a wider set of files than expected, increasing risk of data loss or unintended destructive actions.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The README explicitly advises running the cleanup script with administrator or sudo privileges to delete files. For a tool that uses heuristic matching to remove files, elevating privileges broadens filesystem access beyond the stated purpose and increases the blast radius of mistakes, making accidental deletion or abuse materially more damaging.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The changelog documents automatic cleanup that can delete session files based on low thresholds and scheduled triggers, but it does not clearly warn users about deletion risk, scope of affected files, retention guarantees, or recovery limitations. In a cleanup skill, destructive automation is expected, but the absence of prominent user-facing warnings and safeguards increases the chance of unintended data loss.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The gateway compensation mechanism introduces delayed destructive execution: cleanup may run later at gateway startup rather than at the originally expected time. This is more dangerous than immediate scheduled cleanup because users may not associate startup with file deletion, making the action surprising and increasing the risk of deleting files that were expected to remain available.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README instructs deployment of automatic 'deep cleanup' behavior but does not explain what files, session data, or state may be deleted or altered. In an agent skill that operates on OpenClaw session storage, this omission increases the risk of unintended data loss because operators may enable automation without understanding destructive consequences.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The manual test section includes a forced cleanup execution example that appears to bypass normal safeguards, yet it lacks a clear warning that the action may delete session files or other persistent data. This is dangerous because operators may run the example during testing and cause irreversible cleanup in a live environment.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation promotes force cleanup that skips confirmation while also describing physical file deletion. Because the file-matching logic is heuristic-based, users are not adequately warned that force mode can irreversibly delete unintended files, especially if naming patterns overlap with non-session artifacts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README recommends unattended scheduled execution in force mode without emphasizing retention, validation, or recovery risks. Automating destructive cleanup based on broad matching increases the chance of repeated accidental deletion and makes errors harder to detect before data is lost.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation explains that the tool searches multiple OpenClaw-related paths and treats any .jsonl file or path containing keywords like session, cron, tui, agent, or subagent as deletable. This is an overbroad heuristic, and without a warning users may assume only true session files are affected, creating a realistic risk of deleting unrelated data.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad natural-language commands such as '清理会话' and related variants, which could be matched during ordinary conversation rather than an intentional destructive request. Because the skill performs cleanup and deletion, accidental activation could lead to unintended removal of session or cache data.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The heartbeat-based automatic trigger is described ambiguously, with conditions like file-count thresholds and scheduled behavior but without a clear execution boundary or user-consent model. Ambiguous autonomous cleanup is risky because it can activate unexpectedly and perform destructive operations when users do not anticipate them.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrase "清理会话" is broad enough to overlap with ordinary user requests about managing chats or session state, which can cause the skill to activate when the user did not explicitly intend to invoke it. Because this skill is a system-maintenance/cleanup skill and is described as automated, accidental invocation could lead to unintended cleanup actions or deletion-related side effects.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrase "双重清理" is ambiguous and does not identify what will be cleaned, making accidental activation more likely in unrelated conversations. In the context of a cleanup skill intended to address deletion/cache issues, ambiguity increases the risk that maintenance behavior is invoked without clear user consent or understanding.

Natural-Language Policy Violations

Medium

Confidence: 77% confidence
Finding: Setting the manifest language to "zh-CN" is not dangerous by itself, but forcing a single locale without user opt-in can cause the skill to activate or present instructions in a language the user does not expect. In a maintenance skill, this can reduce user understanding of prompts or confirmations and increase the chance of mistaken approval of cleanup actions.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrase set includes generic user-facing phrases such as '清理会话' and '清理旧会话', which can plausibly appear in ordinary conversation or maintenance requests. That creates a real risk of unintended activation of this skill, especially because the manifest does not show additional narrowing conditions in this file.

Vague Triggers

Low

Confidence: 89% confidence
Finding: The manifest defines activation primarily through trigger phrases and does not indicate any secondary guardrails such as permission checks, confirmation, or contextual scoping. For a cleanup-oriented skill, that increases the chance that destructive or state-altering behavior could be invoked too easily or in the wrong context.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: Force mode enables irreversible deletion of files without an additional explicit warning at invocation time, increasing the chance of accidental destructive actions. In a cleanup utility that recursively scans multiple candidate directories and uses broad matching for session files, reduced friction materially raises the risk of unintended data loss.

Session Persistence

Medium

Category: Rogue Agent
Content: ### **Crontab示例（杜优化版）** ```bash # 编辑Crontab示例 # crontab -e # 根据杜的要求：只在每周一9:00自动进行一次深度清理 # 取消月度、周度自动清理，专注单次周一清理
Confidence: 86% confidence
Finding: crontab -e

VirusTotal

No VirusTotal findings

View on VirusTotal