ClawHub

Session Distiller

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent, but its automatic live distillation can capture and persist active conversations beyond the documented allowlist.

Install only if you are comfortable with OpenClaw transcripts, active-session content, meeting notes, and daily logs being summarized into durable memory. Before enabling context-gate or cron, restrict which sessions can auto-distill, verify where your LiteLLM proxy sends data, and consider disabling or minimizing Telegram alert metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return True
    try:
        log(f"  Auto-distilling session {session_id[:8]}...")
        result = subprocess.run(
            ["python3", str(DISTILL_SCRIPT), "--live-session", session_id],
            capture_output=True,
            text=True,
Confidence
82% confidence
Finding
result = subprocess.run( ["python3", str(DISTILL_SCRIPT), "--live-session", session_id], capture_output=True, text=True, timeout=180, )

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code explicitly allows --live-session to process arbitrary session IDs not present in the live-session allowlist, despite documentation and comments stating only approved sessions should receive live distillation. In this skill, that matters because session contents are then parsed and forwarded to the LLM endpoint, enabling unauthorized processing and disclosure of unapproved conversations if a caller can invoke the script with an arbitrary ID.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The comments and manifest claim live distillation is restricted to explicitly approved sessions, but the implementation later contradicts that by intentionally allowing arbitrary on-demand sessions. This mismatch is security-relevant because operators may rely on the stated restriction and unknowingly expose unapproved live transcripts to downstream processing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends Telegram alerts using bot credentials but the documentation does not clearly warn that session identifiers, context usage, filenames, or other operational metadata may be transmitted to a third-party service. In a tool that processes private transcripts and memory files, even partial metadata leakage can expose sensitive conversation patterns, identities, or operational details.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Completed session transcripts are sent to a chat-completions endpoint over plaintext HTTP on localhost without any explicit runtime disclosure, consent, or verification of what service is actually bound there. In a transcript-distillation skill, this is sensitive by context because session logs can contain credentials, personal data, or internal discussions, and a malicious or misconfigured local proxy could capture them wholesale.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Live session content is distilled by sending new conversation material to the same local chat-completions endpoint, again without a clear runtime warning or consent barrier. Because this is live data rather than closed archives, the privacy and policy risk is higher: the skill can continuously exfiltrate fresh conversation content from active sessions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Meeting notes are also transmitted to the chat-completions endpoint without explicit disclosure that note content will leave the local process for LLM handling. Meeting notes often contain strategic, personal, or confidential data, so silent transmission materially increases privacy and compliance risk in this context.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal