ClawHub

ACP Transcript Sync

Security checks across malware telemetry and agentic risk

Overview

This skill openly syncs sub-agent transcripts, but it can copy sensitive child-session content into main logs and mutate the wrong session without enough user control.

Review before installing. Use this only when you intentionally want ACP child-session content copied into the main session and collected by systems that read the main transcript. Prefer passing an explicit main_session_id and main_agent, inspect the child transcript for secrets or private data first, and avoid automatic write-back in multi-session environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
When no main_session_id is supplied, the script automatically selects the most recently modified session file and appends ACP content to it. This can cause unintended modification of the wrong transcript, especially in multi-session environments, and may leak child-session reasoning or sensitive content into an unrelated main session.

Context-Inappropriate Capability

Low
Confidence
74% confidence
Finding
The script infers the main agent by probing environment variables, the current working directory, and the ~/.openclaw/agents tree. While intended as convenience, this broad discovery behavior increases the chance of selecting or exposing unrelated agent context and expands access beyond the minimum needed for transcript synchronization.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The description emphasizes transcript synchronization for AIMA collection but omits a clear warning that this copies child-session content, including potentially sensitive prompts, outputs, and reasoning traces, into the main transcript for broader visibility. Users may invoke the skill expecting operational convenience, without informed consent to the resulting data propagation and retention expansion.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script appends data directly to the main transcript file without confirmation, preview, backup, or transactional safeguards. This makes accidental data corruption or unauthorized transcript injection easier, particularly because the content being copied may contain sensitive prompts, tool outputs, or misleading assistant text.

Ssd 3

High
Confidence
99% confidence
Finding
The skill's core behavior is to copy all child-session transcript content, explicitly including user inputs and agent reasoning, into the main session so a collection platform can observe the full chain. This is dangerous because it broadens access to sensitive material, can violate least-privilege and data-minimization principles, and may leak internal reasoning or secrets from subagents into logs and systems that were not intended to receive them.

Ssd 3

Medium
Confidence
94% confidence
Finding
The script copies the entire ACP conversation, including user messages and tool-result content, into another transcript context. In this skill's stated purpose—making AIMA or similar platforms collect complete child-agent reasoning—this materially increases the risk of sensitive data exposure, cross-context leakage, and unintended disclosure of private prompts, secrets, or tool outputs.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal