OpenClaw Session Guard

Security checks across malware telemetry and agentic risk

Overview

This skill appears built for OpenClaw session rotation, but it installs background automation that can archive chat excerpts and rewrite active session state without strong user controls.

Install only if you want a background macOS LaunchAgent to manage OpenClaw sessions automatically. Expect recent chat snippets to be stored under ~/.openclaw/knowledge/session-archives and reused for handoff; avoid using it with sessions containing secrets unless you add redaction, cleanup, and stricter file permissions. Verify the missing LaunchAgent plist template and confirm uninstall works before relying on it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs the user/agent to run install, status, and uninstall shell scripts and describes behavior that reads and writes local state such as archives, session rotation data, and scheduled tasks, yet no explicit permissions are declared. This creates a trust and consent gap: the skill can perform file system operations with operational impact without transparent permission signaling, which is especially relevant because it manages persistent session data and task installation.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The document describes automatic archival, handoff-file creation, and transparent session switching, but it does not clearly warn users that their session state will be modified and new files will be written to disk. In a session-management skill, silent persistence and mutation of active conversation state can surprise users, expose sensitive prompts or summaries in local storage, and create integrity/confidentiality risks if users did not explicitly consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The installer silently creates files under the user's home directory and immediately registers and starts a LaunchAgent, establishing persistent background execution without any explicit confirmation or warning. In an agent-skill context, persistence is especially sensitive because users may run install scripts expecting a one-time setup, not an always-on scheduled task.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script persistently archives recent user and assistant message content to markdown files under ~/.openclaw/knowledge/session-archives without any consent, notice, retention control, or permission hardening. Because these archives contain conversation excerpts and file paths, they expand the exposure surface for sensitive data well beyond the live session and can be read later by other local processes or users with filesystem access.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The rotator extracts recent user and assistant text from the prior session, writes it to archive files, and then instructs the next session to continue from that archive. This creates a deliberate cross-session data flow that can leak secrets, personal data, or prior instructions into new contexts, especially if sessions differ in trust level, audience, or agent behavior.

Session Persistence

Medium

Category: Rogue Agent
Content: install -m 755 "$SCRIPT_DIR/openclaw-session-rotator.sh" "$BIN_DIR/openclaw-session-rotator.sh" PLIST_TEMPLATE="$SCRIPT_DIR/ai.openclaw.session.rotator.plist.template" PLIST_TARGET="$LAUNCH_DIR/ai.openclaw.session.rotator.plist" python3 - "$PLIST_TEMPLATE" "$PLIST_TARGET" "$HOME_DIR" "$OPENCLAW_BIN" "$OPENCLAW_BIN_DIR" <<'PY'
Confidence: 90% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: install -m 755 "$SCRIPT_DIR/openclaw-session-rotator.sh" "$BIN_DIR/openclaw-session-rotator.sh" PLIST_TEMPLATE="$SCRIPT_DIR/ai.openclaw.session.rotator.plist.template" PLIST_TARGET="$LAUNCH_DIR/ai.openclaw.session.rotator.plist" python3 - "$PLIST_TEMPLATE" "$PLIST_TARGET" "$HOME_DIR" "$OPENCLAW_BIN" "$OPENCLAW_BIN_DIR" <<'PY'
Confidence: 90% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: install -m 755 "$SCRIPT_DIR/openclaw-session-rotator.sh" "$BIN_DIR/openclaw-session-rotator.sh" PLIST_TEMPLATE="$SCRIPT_DIR/ai.openclaw.session.rotator.plist.template" PLIST_TARGET="$LAUNCH_DIR/ai.openclaw.session.rotator.plist" python3 - "$PLIST_TEMPLATE" "$PLIST_TARGET" "$HOME_DIR" "$OPENCLAW_BIN" "$OPENCLAW_BIN_DIR" <<'PY' import pathlib, sys
Confidence: 90% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: install -m 755 "$SCRIPT_DIR/openclaw-session-rotator.sh" "$BIN_DIR/openclaw-session-rotator.sh" PLIST_TEMPLATE="$SCRIPT_DIR/ai.openclaw.session.rotator.plist.template" PLIST_TARGET="$LAUNCH_DIR/ai.openclaw.session.rotator.plist" python3 - "$PLIST_TEMPLATE" "$PLIST_TARGET" "$HOME_DIR" "$OPENCLAW_BIN" "$OPENCLAW_BIN_DIR" <<'PY' import pathlib, sys
Confidence: 90% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: PLIST_TEMPLATE="$SCRIPT_DIR/ai.openclaw.session.rotator.plist.template" PLIST_TARGET="$LAUNCH_DIR/ai.openclaw.session.rotator.plist" python3 - "$PLIST_TEMPLATE" "$PLIST_TARGET" "$HOME_DIR" "$OPENCLAW_BIN" "$OPENCLAW_BIN_DIR" <<'PY' import pathlib, sys tpl, out, home, oc_bin, oc_bin_dir = map(pathlib.Path, sys.argv[1:6]) text = tpl.read_text(encoding="utf-8")
Confidence: 88% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: PLIST_TEMPLATE="$SCRIPT_DIR/ai.openclaw.session.rotator.plist.template" PLIST_TARGET="$LAUNCH_DIR/ai.openclaw.session.rotator.plist" python3 - "$PLIST_TEMPLATE" "$PLIST_TARGET" "$HOME_DIR" "$OPENCLAW_BIN" "$OPENCLAW_BIN_DIR" <<'PY' import pathlib, sys tpl, out, home, oc_bin, oc_bin_dir = map(pathlib.Path, sys.argv[1:6]) text = tpl.read_text(encoding="utf-8")
Confidence: 88% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: out.write_text(text, encoding="utf-8") PY launchctl bootout "gui/$(id -u)" "$PLIST_TARGET" >/dev/null 2>&1 || true launchctl bootstrap "gui/$(id -u)" "$PLIST_TARGET" launchctl kickstart -k "gui/$(id -u)/ai.openclaw.session.rotator"
Confidence: 95% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: PY launchctl bootout "gui/$(id -u)" "$PLIST_TARGET" >/dev/null 2>&1 || true launchctl bootstrap "gui/$(id -u)" "$PLIST_TARGET" launchctl kickstart -k "gui/$(id -u)/ai.openclaw.session.rotator" echo "[install] done"
Confidence: 95% confidence
Finding: PLIST

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal