Security audit

Session Token Ledger

Security checks across malware telemetry and agentic risk

Overview

This skill locally analyzes OpenClaw token usage and creates local ledger files; it handles sensitive session metadata, but that behavior is disclosed and matches its purpose.

Install this only if you are comfortable with a local tool reading completed OpenClaw session logs and retaining derived usage metadata in local SQLite, JSON, and markdown files. Keep the generated assets private, and enable the optional hook only if you want automatic ongoing ledger rebuilds.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill instructs the agent to read local files, rebuild a SQLite ledger, and generate reports, which implies file read/write and possible environment access, but it declares no corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or platform may allow broader capabilities than users expect, increasing the risk of unauthorized local data access or modification if the skill is invoked in an unsafe context.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The hook advertises token-ledger maintenance, but the documentation explicitly states it logs completed transcript content from session files. Session transcripts can contain prompts, secrets, proprietary code, and personal data, so collecting or persisting full content exceeds the stated purpose and creates a meaningful privacy and data-exposure risk.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script is not read-only: it creates directories, writes markdown ledgers, writes an index and anomalies report, creates a temporary SQLite database, and atomically replaces the main database. That behavior exceeds pure inspection and can alter local artifacts without explicit consent, which is risky for a skill described as analysis-focused because it persists derived data from session transcripts.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code derives paths up to the workspace and OpenClaw root, then scans raw session transcript files under agents/main/sessions rather than limiting itself to an existing ledger or summary input. This broadens access to potentially sensitive conversation metadata and token usage records beyond the narrower scope suggested by the skill description.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation says completed transcript content is logged, but gives no clear privacy warning or consent mechanism. Because transcripts may include sensitive user inputs and model outputs, silently retaining them can violate user expectations and increase the risk of accidental disclosure or overcollection.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script serializes transcript-derived metadata such as session IDs, session keys, file paths, channels, models, and timing into markdown ledgers and an index JSON without any warning or consent flow. Even if it does not copy full transcript content, these derived artifacts can expose sensitive operational or user-context information and increase data retention surface.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code unlinks any existing temporary database, creates a new SQLite database, and later replaces the primary database file automatically. Silent replacement of local data artifacts is risky because users may not expect destructive regeneration, and it can overwrite prior results or interfere with concurrent tooling.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.