Session Cleanup
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: session-cleanup Version: 1.0.0 The skill bundle is classified as suspicious due to the `cleanup.sh` script performing `rm -f` operations on files within the OpenClaw workspace, which is hardcoded to `/root/.openclaw`. While the script's purpose is legitimate file cleanup, running such a script with implied root privileges (operating in `/root`) introduces a risk of arbitrary file deletion via symlink attacks if an attacker could place a malicious symlink in one of the targeted directories. This represents a risky capability without clear malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Old but still important session, queue, Telegram, subagent, or backup files could be permanently removed.
The script deletes files from multiple OpenClaw areas, including Telegram data and backup files, based only on age and filename patterns, with no dry-run, confirmation, quarantine, or recovery path.
find "$WORKSPACE/telegram" -type f -mtime +7 ... rm -f "$f" ... find "$WORKSPACE" -name "*.bak*" -mtime +3 -type f ... rm -f "$f"
Review and modify the script before use: add a dry-run mode, require confirmation before deletion, move files to a quarantine folder first, and limit cleanup to clearly disposable paths.
A user may trust that important sessions will be preserved when the included script can delete files without performing that promised protection.
The documentation promises value evaluation and preservation, but cleanup.sh contains only age-based find/rm cleanup and does not implement keyword matching or saving valuable sessions.
评估会话价值(关键词匹配) ... 保存有价值会话到记忆 ... 清理无价值会话
Do not rely on the preservation claim unless the implementation is updated to actually identify, review, and save valuable content before deletion.
Private session content could be persisted into agent memory and reused later in ways the user did not explicitly approve.
The skill describes scanning potentially private conversation and agent-session data and automatically saving selected content to memory, without defining user review, retention, redaction, or reuse boundaries.
目标目录 ... ~/.openclaw/telegram/ | Telegram 会话数据 ... ~/.openclaw/subagents/ | 子智能体会话 ... 自动评估并保存有价值内容
Require explicit user approval before saving session content to memory, define retention and deletion rules, and redact sensitive data by default.
If enabled, cleanup may run automatically each week and remove matching files without the user noticing each run.
The skill declares a recurring weekly schedule for the cleanup entrypoint. This is disclosed and aligned with periodic cleanup, but it means deletion could happen in the background.
"entry": "cleanup.sh", "cron": "0 3 * * 0"
Enable the cron schedule only after reviewing the deletion rules, and make sure there is a simple way to disable the scheduled job.
The scheduled job may fail or users may create their own wrapper without realizing the difference from the reviewed cleanup.sh.
The cron example references run.sh, but the provided manifest contains cleanup.sh and no run.sh, making the intended scheduled entrypoint unclear.
cron job add session-cleanup "0 3 * * 0" ~/.openclaw/workspace/skills/session-cleanup/run.sh
Fix the documentation to reference the reviewed entrypoint, or include and review the missing run.sh file.