ClawHub
Back to skill

Security audit

Session Compact

Security checks across malware telemetry and agentic risk

Overview

This session-compaction plugin is mostly aligned with its stated purpose, but its implementation can expose or alter sensitive conversation data and uses an unsafe shell-based LLM invocation.

Install only if you are comfortable reviewing and accepting a code plugin with local shell execution, plaintext session storage, and LLM processing of prior chat history. Avoid using it with secrets or sensitive business data unless the shell invocation is replaced with a scoped API call, config logging is removed or redacted, and session storage permissions and retention controls are tightened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior materially exceeds the declared purpose: it persists session data, manages session lifecycle, reads local configuration, invokes the OpenClaw CLI, and logs configuration details. This mismatch reduces informed consent and can expose sensitive conversation content or configuration data, especially because users may install it expecting only in-memory token compaction.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document explicitly acknowledges that the plugin is blocked by security checks and requires `--dangerously-force-unsafe-install`, while also attributing this to `execSync` usage. That is a strong indicator the software triggers security-sensitive behavior and normalizes bypassing platform protections, which increases the chance users install potentially dangerous code despite warnings.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The compaction path invokes the full `openclaw agent` CLI on conversation-derived content, which expands the trust boundary from a local summarizer into a general-purpose agent runtime. Because the prompt is built from prior conversation text and passed to an agent capable of broader actions than pure summarization, prompt injection or unintended agent behaviors could cause data exposure, tool use, or side effects during what users may expect to be a passive compression step.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation promotes automatic session compaction that replaces older messages transparently, but it does not clearly warn users that historical context is being transformed and potentially lost. In a session-management skill, silent modification of conversation history can cause the agent to omit safety-relevant instructions, misunderstand prior decisions, or act on incomplete summaries, which can indirectly lead to unsafe or incorrect behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly states that historical messages are compressed via an LLM, but it does not clearly warn users that prior conversation contents may be sent to a model for processing. In a session-management plugin, users may reasonably assume local-only token management, so the missing disclosure creates a real privacy and data-handling risk, especially if sensitive prompts, credentials, or proprietary text appear in chat history.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented `compact` and `compact --force` commands imply an operational action but do not warn that they can irreversibly replace older session messages with summaries. In the context of a session compression plugin, this can cause loss of detailed conversation history, affect auditability, and surprise users into destructive actions without informed consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises automatic compression and replacement of conversation history without a prominent warning that summaries may omit, distort, or overwrite important context. In a session-management plugin, silent modification of user conversation state can lead to data integrity issues, lost instructions, and unsafe downstream agent behavior based on incomplete summaries.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation promotes automatic session compression and emphasizes token savings, but it does not clearly warn that historical conversation content is rewritten into a summary and that important detail may be lost. In a session-management skill, this omission is security-relevant because users may rely on preserved context for correctness, auditability, or safe operation without understanding that prior messages can be condensed or altered.

Missing User Warnings

High
Confidence
95% confidence
Finding
The text says automatic compaction happens without user awareness and elsewhere indicates a model may be used to generate summaries, but it does not explicitly warn that message contents may be transmitted to an LLM or external gateway. For a conversation plugin, this is a significant privacy and data-handling issue because sensitive chat history could be processed by third-party services without clear user notice or consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The troubleshooting guide instructs users to manually clone a repository into the OpenClaw extensions directory and run `npm install --production`, which executes third-party package installation logic and may trigger lifecycle scripts. Presenting this as a normal fix path without any warning, verification guidance, or sandboxing advice increases the chance that users will execute untrusted code with their local user privileges.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Conversation history is transmitted to an LLM service via the CLI during summary generation, but this file provides no user-facing notice, consent flow, or data-classification guard. Since historical messages may include secrets, file paths, tool outputs, or sensitive business data, silent exfiltration to an external model/service creates a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code logs the full plugin configuration to stderr using JSON.stringify without redaction. If the configuration contains API keys, tokens, file paths, session identifiers, or other sensitive settings, those secrets may be exposed in terminal history, logs, CI output, or support bundles, increasing the risk of credential leakage and environment disclosure.

Session Persistence

Medium
Category
Rogue Agent
Content
}

  /**
   * Save session to file
   */
  saveSession(session: Session, sessionId: string): void {
    this.initialize();
Confidence
88% confidence
Finding
Save session to file

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/compact/engine.ts:64