ClawHub

Chat History

Security checks across malware telemetry and agentic risk

Overview

This skill is a local chat archiver, but it persistently indexes sensitive conversation history and its documentation understates the privacy and scheduling impact.

Install only if you are comfortable with a searchable local copy of your OpenClaw conversations being created and updated on a schedule. Before enabling it, inspect the cron task, choose one entry point such as main_v3.py, restrict archive permissions, avoid storing secrets in chats, and know how to stop the scheduled task and delete the archive directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (42)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if check_cron_setup():
            return True, "定时任务已存在"
        
        result = subprocess.run(
            [
                "openclaw", "cron", "add",
                "--name", "chat-history-archive",
Confidence
86% confidence
Finding
result = subprocess.run( [ "openclaw", "cron", "add", "--name", "chat-history-archive", "--cron", "59 23 * * *", "--

subprocess module call

Medium
Category
Dangerous Code Execution
Content
skill_dir = os.path.dirname(os.path.abspath(__file__))
        main_py_path = os.path.join(skill_dir, "main_v3.py")
        
        result = subprocess.run(
            [
                "openclaw", "cron", "add",
                "--name", "chat-history-archive",
Confidence
87% confidence
Finding
result = subprocess.run( [ "openclaw", "cron", "add", "--name", "chat-history-archive", "--cron", f"{minute} {hour} * * *",

subprocess module call

Medium
Category
Dangerous Code Execution
Content
parts = line.split()
                if parts:
                    task_id = parts[0]
                    subprocess.run(
                        ["openclaw", "cron", "remove", task_id],
                        capture_output=True,
                        text=True,
Confidence
79% confidence
Finding
subprocess.run( ["openclaw", "cron", "remove", task_id], capture_output=True, text=True,

Tainted flow: 'filepath' from os.environ.get (line 239, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
filepath = os.path.join(ARCHIVE_DIR, filename)

        # 保存
        with open(filepath, 'w', encoding='utf-8') as f:
            f.write(formatted)

        print(f"✅ 归档: {filename} ({len(messages)} 条消息)")
Confidence
86% confidence
Finding
with open(filepath, 'w', encoding='utf-8') as f:

Tainted flow: 'filepath' from os.environ.get (line 296, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
filepath = os.path.join(date_folder, filename)
        
        # 保存
        with open(filepath, 'w', encoding='utf-8') as f:
            f.write(formatted)
        
        print(f"✅ 归档: {filename} ({len(messages)} 条消息)")
Confidence
84% confidence
Finding
with open(filepath, 'w', encoding='utf-8') as f:

Tainted flow: 'EVALUATIONS_FILE' from os.environ.get (line 14, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
}

    # 写入文件
    with open(EVALUATIONS_FILE, "w") as f:
        json.dump(data, f, indent=2, ensure_ascii=False)

    print(f"✅ 已初始化评估索引")
Confidence
89% confidence
Finding
with open(EVALUATIONS_FILE, "w") as f:

Tainted flow: 'STATUS_FILE' from os.environ.get (line 28, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_status(status):
    """保存状态"""
    with open(STATUS_FILE, "w") as f:
        json.dump(status, f, indent=2, ensure_ascii=False)

def log_message(message):
Confidence
81% confidence
Finding
with open(STATUS_FILE, "w") as f:

Tainted flow: 'LOG_FILE' from os.environ.get (line 29, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"""写入日志"""
    timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
    log_entry = f"[{timestamp}] {message}\n"
    with open(LOG_FILE, "a") as f:
        f.write(log_entry)

def check_cron_setup():
Confidence
82% confidence
Finding
with open(LOG_FILE, "a") as f:

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document claims privacy protection while simultaneously describing archiving of complete conversations and exposing a real user-specific filesystem path. This creates a mismatch between stated privacy guarantees and actual data handling, which can mislead users about the sensitivity and locality of stored data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document makes strong safety claims such as 'completely removed all system commands' while later admitting the implementation uses subprocess to invoke the OpenClaw CLI. Calling a CLI through subprocess is still command execution and can create host-side effects, so the notice is materially misleading and may cause users or reviewers to underestimate risk.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Claiming 'no system permissions required' is misleading because scheduling cron jobs and modifying local files are privileged side effects on the host environment, even if they do not require elevated root privileges. This can reduce user caution around persistence and file changes, increasing the chance of unintended installation or misuse.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The checklist says there are 'zero system commands,' but the dependency section explicitly lists subprocess for OpenClaw CLI invocation. This internal contradiction indicates inaccurate security documentation, which is dangerous because it obscures the real execution model and hampers informed review of command-execution risk.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document explicitly tells reviewers and users to trust a claimed 'complete security audit' and 'safe to use' status, while also acknowledging capability to modify crontab and establish persistence. Security-assurance language that attempts to preempt scrutiny is itself risky because it can mislead users into approving privileged behavior without independent verification.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The notice claims file operations are limited to the local workspace and avoid sensitive paths, but elsewhere admits to interacting with crontab and creating scheduled scripts, which exceeds a simple workspace-only boundary. This mismatch is dangerous because it understates the actual scope of system changes and can cause users or reviewers to underestimate persistence and host-level impact.

Intent-Code Divergence

Low
Confidence
89% confidence
Finding
Claiming fully local, offline, and non-sensitive behavior is somewhat misleading when the same file describes setting up persistent scheduled execution via crontab. Although this does not imply data exfiltration by itself, it does normalize persistence and downplays the operational risk of background execution on the user's machine.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document makes a materially misleading safety claim: it says all file operations remain within the local working directory, yet it explicitly lists writes to /var/log/chat-archive.log, which is outside that directory and may have broader visibility and privilege implications. Misstating storage boundaries can cause users or reviewers to underestimate where conversation data is written and who may access it.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The report claims there is no privacy leakage risk while also describing full conversation archiving, tool-call retention, and logging to local files. Even without network exfiltration, persistent local storage of complete dialogues can expose sensitive prompts, outputs, secrets, and operational metadata to other local users, backups, or later compromise.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill documents features to list and search prior skill security evaluations, which expands the data collection purpose beyond chat archiving into retaining security-review metadata. That creates unnecessary sensitive-data aggregation and can expose prior assessment history, tool judgments, and analyst conclusions to later prompts or unauthorized local access.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The privacy section claims archives do not include sensitive system information, but elsewhere the skill says it stores full Channel-side conversations and evaluation records, which can easily contain secrets, system prompts, file paths, credentials, or security notes. This misleading assurance can cause users to enable archival without understanding the real exposure.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill modifies the user's crontab and installs a recurring script, giving it persistence beyond the immediate user action. For a chat-history utility, persistent scheduled execution materially increases risk because it can keep collecting or processing sensitive conversation data every day without ongoing user review.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The cron-management logic is inconsistent: it claims to remove old 'chat-history' jobs, but the installed cron line does not include that marker, while other cleanup logic later targets 'archive-daily.sh'. This can leave orphaned scheduled tasks behind, causing unintended persistence and making it harder for users to disable background execution.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The changelog advertises automatic archiving of conversation records, incremental capture, multi-channel coverage, and cross-end querying, but provides no mention of consent, retention limits, access controls, or privacy notices. In a skill context, this can enable unnoticed collection and aggregation of potentially sensitive user communications across channels, increasing privacy and compliance risk.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger list includes broad everyday phrases like 'archive', 'backup', '聊天记录', and 'I forgot', which can cause the skill to activate during ordinary conversation without clear user intent. In this skill, unintended activation is more dangerous because activation can lead to searching, surfacing, or enabling archival of sensitive conversation history.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installation flow presents archiving past chats as a convenience feature but does not prominently warn that it will create a searchable local repository of potentially sensitive historical conversations. Users may consent without understanding the scope, retention, and privacy implications of archiving all prior dialogue.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README advertises '30+ keywords' and natural-language triggering without defining strict activation boundaries, which can cause the skill to activate on ordinary user conversation rather than explicit commands. In a chat-archiving/search skill, accidental activation can expose prior conversation history or evaluation records when the user did not intend to invoke the tool.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal