Security audit

Neckr0ik Session Healer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate OpenClaw session repair utility, but it can alter session files and remove active locks in ways that may disrupt running agents or corrupt session state.

Install only if you understand that this tool can change OpenClaw session files and remove lock files under ~/.openclaw. Prefer dry-run or inspection commands first, keep backups, avoid using --force while any OpenClaw agents are running, and manually verify a session is inactive before unlocking or recovering it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill describes capabilities to scan session directories, inspect lock files, remove locks, and recover session data, which implies file read/write access, but it declares no permissions. This creates a transparency and authorization gap: users or host systems may invoke a skill with destructive filesystem behavior without an explicit permission contract.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The heal function can delete lock files for sessions whose owning process is still alive when --force is used. Clearing an active lock breaks the coordination mechanism protecting session state and can lead to concurrent writes, session corruption, inconsistent model state, or interference with another running agent process.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The targeted unlock command removes a matching lock file without checking whether the referenced PID is still running. This can invalidate active locking for a live session, allowing simultaneous access to the same session file and causing corruption or disruption of another process's work.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill includes destructive operations such as clearing locks and removing corrupted lines from session files, but the warning language is weak and does not clearly state the risks of data loss, session corruption, or disruption of active processes. In particular, options like --force materially increase the chance of damaging live sessions or causing race-condition-related corruption.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal