ClawHub
Back to skill

Security audit

session-archivist

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for Hermes session cleanup, but it rewrites private session history and can automatically persist summaries to a local memory service or recurring job, so users should review it before installing.

Review this skill before installing. Run --list and --dry-run first, use --no-hindsight or set hindsight_enabled: false unless you explicitly want session summaries stored in Hindsight, and avoid setup_cron.sh until you are comfortable with unattended trimming. Treat archives and backups as sensitive because they may contain prompts, paths, local endpoints, project details, and configuration values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and documents behavior that uses shell commands, file writes, environment access, and optional networked/local HTTP integration, but it does not declare permissions. This reduces transparency and weakens any permission-gating or user review process, making potentially sensitive operations easier to invoke without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior extends beyond simple session archiving into process inspection, gateway log inspection, cron creation, backup cleanup, and HTTP interaction with a memory service, while also claiming a memory flush behavior that is not actually implemented. This mismatch can mislead users about what the skill does, causing unintended persistence, scheduling, and local service interaction in a context handling sensitive session data.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The guide documents automatic detection of a local Hindsight service and automatic uploading of archived session content to it, which expands the skill from local file maintenance into networked data transfer and external memory storage. Even though the endpoint is localhost, archived sessions may contain sensitive conversation data, and the behavior is not framed with explicit consent, scope limits, or security/privacy warnings.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill description presents local session archiving, but the implementation can export generated session summaries to a Hindsight service over HTTP. Because those summaries contain user conversation content, decisions, errors, references, and potentially sensitive paths or URLs, this creates a real confidentiality risk and an undocumented data exfiltration path.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The README promotes automatic archiving, trimming, backup retention, and optional memory-store export, but it does not prominently warn that session files will be modified and that additional archive copies may be created. For a tool operating on conversation history, insufficient disclosure can lead users to unintentionally alter or duplicate sensitive data, increasing privacy and integrity risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README instructs users to install unattended cron execution without an explicit warning that the task will automatically process and modify session files on a schedule. Scheduled background modification of session history can surprise users, cause unintended data changes, and repeatedly archive sensitive content without active review.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill stores archived session content to local markdown and may also send structured summaries into Hindsight memory, but the user-facing description does not prominently warn about this persistence. Because sessions can contain credentials, personal data, project details, and preferences, silent or weakly disclosed retention materially increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation describes automatic transmission of archived session summaries and metadata to a local HTTP service without prominent privacy notice or consent language. Because session archives can contain sensitive prompts, outputs, identifiers, and project context, silently forwarding them to another service creates a meaningful confidentiality and transparency risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide states that stored memory is automatically processed by an LLM, including translation and extraction, but does not clearly warn users that archived content may be transformed or secondarily processed. This matters because users may assume archival is lossless and local, while the transformation can expose sensitive content to additional processing paths and alter fidelity of stored records.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The template and extraction rules explicitly collect and preserve sensitive contextual data such as filesystem paths, config key/value pairs, and localhost endpoints into archive summaries. In a session-archiving skill, this increases the chance of unintended disclosure, persistence, or later exfiltration of operational details that may include secrets, internal topology, or user environment information.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Allowing custom templates and user-controlled archive output paths creates persistence risk for sensitive session summaries, especially when the summaries may contain extracted operational details from prior messages. Without warnings, validation, or safeguards, users may store sensitive archives in insecure or unintended locations, increasing exposure through local compromise, backup systems, or accidental sharing.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill is explicitly designed to preserve user session content, including intent, decisions, preferences, and task history, into local archives and optionally a cross-session memory store. In the context of agent sessions, that data frequently includes secrets, internal paths, business context, and personal information, so broad archival without minimization or consent creates a substantial confidentiality risk.

Ssd 3

Medium
Confidence
96% confidence
Finding
The archive template explicitly preserves raw user intent quotes, file paths, config keys/values, and API endpoints, all of which may contain highly sensitive information. Structured persistence of these fields makes later disclosure, indexing, or exfiltration more damaging because the most valuable data is intentionally extracted and centralized.

Ssd 3

Medium
Confidence
93% confidence
Finding
The archive generator intentionally extracts and preserves user-provided conversation content, including intent, decisions, todos, errors, paths, and localhost URLs. Even when stored locally, this concentrates sensitive information into durable summaries and increases the chance of secondary disclosure if archive permissions, backups, or downstream consumers are not tightly controlled.

Ssd 3

High
Confidence
98% confidence
Finding
This code sends plain-language session summaries containing conversation-derived content to an external memory bank service. Because the summaries may include sensitive operational details and user data, this is a genuine data-leak path; the risk is heightened by defaulting to a localhost HTTP service that could later be reconfigured to a remote endpoint without stronger consent or transport protections.

Ssd 3

Medium
Confidence
89% confidence
Finding
The trimming logic reinserts a system-role message containing historical summary text back into the active session record. That can unintentionally elevate untrusted prior conversation content into high-priority context, causing prompt/context injection persistence and broadening exposure of sensitive history to later tools or model turns.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal