ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

session-compress

v1.0.1

Compress OpenClaw session .jsonl files by trimming old messages while preserving system messages, recent turns, and task-relevant context.

0· 20·0 current·0 all-time
by@zzqsama066
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (compress .jsonl session files) matches the instructions' goal, but it presumes the presence of a local PowerShell script (scripts/compress.ps1) and an <OPENCLAW_DIR> path. Because the skill includes no code or install spec, it cannot itself perform compression; it only documents how to run an external script that is not provided. That mismatch is an incoherence a user should confirm.
!
Instruction Scope
Instructions tell the operator/agent to list and modify files under <OPENCLAW_DIR>\agents\main\sessions\*.jsonl and to run powershell -File scripts/compress.ps1. These are narrowly scoped to main agent sessions (appropriate), but they instruct execution of an external PowerShell script whose content is unknown. The SKILL.md does not include the script contents, nor does it define how <OPENCLAW_DIR> is resolved — both gaps increase risk and ambiguity.
Install Mechanism
No install spec and no bundled code means nothing will be written to disk by installing the skill itself, which lowers risk. However, the runtime instructions rely on an external script rather than installing it.
Credentials
The skill does not request environment variables, credentials, or config paths. The only filesystem access referenced is the agent's session directory, which is proportional to the stated purpose.
Persistence & Privilege
The skill does not request persistent/always-on presence (always:false) and is user-invocable. It does allow the agent to invoke the instructions autonomously by default (disable-model-invocation:false), which is platform normal; combined with other issues this is worth noting but not flagged by itself.
What to consider before installing
This skill is instruction-only and does not include the PowerShell script it tells you to run. Before using it: 1) Verify that scripts/compress.ps1 actually exists on your system and inspect its contents line-by-line to ensure it only touches the intended session files and does not exfiltrate data or run network calls. 2) Back up any .jsonl files or use -OutputPath / DryRun as recommended. 3) Confirm <OPENCLAW_DIR> location and platform (instructions use PowerShell; they assume a Windows/PowerShell environment). 4) Be cautious about letting an agent execute these commands autonomously — prefer manual invocation until you’ve reviewed the script. If the skill came with the compress.ps1 content or a trusted install source (and you’ve audited the script), the incoherence is resolved and the risk drops.

Like a lobster shell, security has layers — review code before you run it.

latestvk979zhv3f9bacspbprncqv8xqs84erjeopenclawvk979zhv3f9bacspbprncqv8xqs84erjeutilityvk979zhv3f9bacspbprncqv8xqs84erje

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments