Session History Share

Security checks across malware telemetry and agentic risk

Overview

This skill openly implements session-history sharing, but it automatically persists and reinjects conversation summaries across sessions and installs a daily cron job without strong user controls.

Install only if you intentionally want prior OpenClaw conversations summarized, stored on disk, and automatically injected into later sessions. Review the cron job and ~/.openclaw/openclaw.json changes, avoid using it with sessions containing secrets or client data unless you accept that carryover, and know how to remove the hook, cron task, and .session_history archives.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The handler reads prior session archives from a per-user disk location and silently injects that content into BOOTSTRAP.md for the current run. This creates cross-session data flow without explicit user consent, minimization, or validation of whether the archived content should be reintroduced, which can expose sensitive information and influence downstream agent behavior with stale or attacker-planted content.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The installer does more than install files and register a hook: it also creates a persistent scheduled task that runs daily. That expands the skill's capabilities from one-time setup into ongoing automated processing, including access to session data, without clear necessity or explicit consent, which is risky for a security-sensitive agent environment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly describes automatic extraction of prior session content, storage of summaries on disk, and reinjection into future prompts, but provides no warning, consent flow, retention caveats, or handling guidance for sensitive data. In an agent skill context, this increases the risk of unintended cross-session disclosure of secrets, personal data, or prior-task context that users may reasonably expect to remain isolated.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly describes automatic cross-session sharing of prior conversation summaries and prompt injection into new sessions, but provides no user-facing consent, warning, or privacy boundary explanation. This is dangerous because users may reasonably expect session resets to clear context, while the skill instead preserves and reintroduces potentially sensitive data across boundaries.

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The documentation instructs deletion of older archive files and retention of only the latest three summaries, but does not warn users that older conversation-derived data will be destructively rotated. This can cause unexpected loss of records while still retaining sensitive summaries long enough to be reinjected elsewhere.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly states that compressed summaries from prior sessions are automatically injected into each new conversation at bootstrap, but it does not warn the user about this behavior or its privacy implications. This can cause unintended cross-session data exposure, prompt contamination, or leakage of sensitive information from an earlier session into a new context without informed consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Session history from disk is inserted into the model bootstrap context with no user-facing warning, so sensitive prior conversation content may be exposed to the model or affect outputs without the user's knowledge. Because the injected material is treated as bootstrap context, it can also act as a prompt-injection persistence mechanism across sessions if a previous archive contains adversarial instructions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script silently modifies the user's ~/.openclaw/openclaw.json to enable and register an internal hook, changing agent behavior without prior confirmation. Silent configuration changes are dangerous because they persist beyond installation and may enable capabilities the user did not knowingly approve.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The installer invokes a subprocess to add a persistent cron job without clear disclosure or user confirmation. Creating scheduled tasks is a high-trust action because it establishes ongoing execution and can continue collecting or processing data long after the initial install.

Ssd 3

High

Confidence: 98% confidence
Finding: The core design preserves prior session content and reinjects it into new sessions via bootstrap prompts, creating a built-in cross-session data leakage channel. This undermines session isolation and can expose secrets, personal data, or prior instructions from one context into another where they may be surfaced, acted on, or further disclosed.

Ssd 3

High

Confidence: 97% confidence
Finding: The cron workflow instructs the system to read transcript files, summarize message content, and store the result for later reuse, which operationalizes collection and secondary disclosure of conversation data. The danger is heightened because this occurs automatically on a schedule and writes derived content to disk, expanding both exposure surface and persistence beyond the original session lifecycle.

Ssd 3

High

Confidence: 98% confidence
Finding: The scheduled task is explicitly described as reading all active session JSONL tails, extracting summaries or recent messages, and writing them into persistent history files. This creates a clear confidentiality risk because potentially sensitive session content is being aggregated and retained on disk automatically, increasing exposure and forensic footprint.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal