Back to skill

Security audit

session-continuity

Security checks across malware telemetry and agentic risk

Overview

This is a local checkpointing skill, but it needs review because it can silently save session details and its helper script does not safely confine checkpoint file names.

Install only if you are comfortable with local plaintext checkpoints and autosaves in your OpenClaw workspace. Use simple kebab-case checkpoint names, avoid saving secrets or sensitive personal data, review autosave.md and autosave-log.md periodically, and treat resume/delete prompts carefully until name validation and explicit delete/autosave controls are added.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to read and write durable files (`SESSION-STATE.md`, `memory/checkpoints/*.md`, autosave logs) and to inspect environment/session status, but the metadata declares no permissions. That mismatch is dangerous because operators and users cannot accurately assess what the skill can persist or modify, which weakens review, consent, and sandboxing controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The description frames the skill as a checkpoint/resume aid, but the body also authorizes destructive deletion and maintenance of a hidden autosave log. Undisclosed destructive and persistent logging behavior is risky because reviewers may approve the skill expecting simple save/resume semantics while it can erase artifacts and create additional durable records.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The resume flow says user approval is required before proceeding, but later instructs the agent to delete the checkpoint automatically if resumption is rejected. This inconsistency can cause unintended data loss from a simple 'no' response that may mean 'not now' rather than 'destroy the saved state.'

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The template includes personally identifying and contact information such as a username and email address in a generic checkpoint example, even though session-resume state does not require real-looking personal data. Because this skill is designed to persist checkpoints across sessions, normalizing inclusion of PII increases the chance users or agents will store unnecessary sensitive data long-term.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly describes persisting rich session state to disk, including task summaries, file paths, line ranges, blockers, decisions, and relevant context, but it does not warn users that potentially sensitive conversation or workspace data will be stored in plaintext files. In a session-continuity skill, this materially increases privacy and data-retention risk because users may assume transient chat state rather than durable local artifacts.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The auto-save trigger uses broad natural-language close signals like 'goodnight', 'exit', and 'logout', which can appear in ordinary conversation or quoted text and may cause unintended checkpoint creation. That can silently capture and persist sensitive context without deliberate user intent, especially in a skill whose core function is writing resumable state to disk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly says checkpoint files store task summaries, file paths and line numbers, exact next actions, blockers, and key decisions, but it does not warn that this may persist sensitive project data, secrets, internal paths, or reasoning to disk. In a session-continuity skill, durable storage is core functionality, so undocumented persistence of potentially sensitive context creates a real privacy and data-exposure risk if the workspace is shared, backed up, or later inspected by other tools or users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The automatic checkpoint section states that autosave occurs on close signals, high context, inactivity, or long-running operations, but it does not clearly emphasize that user activity and work context may be persisted without an explicit save command. Silent or insufficiently disclosed automatic persistence is risky because users may unknowingly write sensitive workflow details to disk, especially during private or security-sensitive tasks.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The skill is designed to auto-activate on broad conditions like close signals and high context, which can be hit during normal conversation. In this context, accidental activation matters because the resulting action is durable persistence of task state and conversation-derived context without a clear, contemporaneous consent boundary.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Resume triggers include generic phrases like 'where did we stop?' and other common language that may be conversational rather than an instruction to access persistent storage. In a skill that reads prior-session artifacts and may continue execution, ambiguous trigger phrases increase the chance of unintended recovery actions and disclosure of persisted context.

Missing User Warnings

High
Confidence
95% confidence
Finding
The auto-checkpoint protocol writes session state and appends to an autosave log with 'No user-visible output.' Silent persistence of conversation-derived state across sessions is a privacy and consent risk, especially because saved data may include blockers, decisions, file paths, preferences, and other sensitive context.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
Deletion of named checkpoints is destructive, but the instructions do not require an explicit warning or confirmation at the point of deletion. That makes accidental or misunderstood deletion more likely, causing irreversible loss of saved task context that may be needed for later recovery.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to autonomously write `memory/checkpoints/autosave.md` and `memory/checkpoints/autosave-log.md` based on internal signals, but does not require a clear user-facing warning or consent before modifying workspace files. This can lead to unexpected persistence of sensitive task state or notes in the user's workspace, especially because triggering is automatic and tied to context pressure or inferred session-ending phrases.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The resume trigger logic treats broad phrases like "continue" or "where did we stop?" as sufficient to initiate checkpoint selection and potential state restoration. In a conversational assistant, these phrases are common and context-dependent, so the skill may surface or resume prior task state without clear user intent, creating a risk of unintended cross-task data exposure or action taken from stale state.

Natural-Language Policy Violations

Low
Confidence
79% confidence
Finding
The skill hard-codes multilingual close signals such as "goodnight," "晚安," and "明天见" to trigger automatic checkpointing without any opt-in or locale policy. This can cause silent persistence of session state when users use ordinary conversational phrases, increasing the chance of retaining sensitive data unexpectedly and doing so inconsistently across languages.

Ssd 3

Medium
Confidence
91% confidence
Finding
The save instructions explicitly persist conversation-derived context, preferences, decisions, blockers, and other non-file information into durable checkpoint files. In this skill's context, that cross-session storage can capture sensitive or personal data beyond what is necessary for task continuation, increasing privacy exposure if files are later accessed, synced, or retained indefinitely.

Ssd 3

High
Confidence
97% confidence
Finding
The autosave behavior silently records session state on broad triggers like close signals and idle time, creating durable artifacts without user-visible notice. That is particularly dangerous because it combines implicit triggering with indefinite persistence, making unintentional capture of sensitive in-session content much more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.