Is amor71/session-history safe?

The skill's primary function requires reading ~/.openclaw/agents//sessions/.jsonl files, which contain complete message-by-message conversation history. If any past session contained credentials, API keys, passwords, internal URLs, or PII, executing a search query would pull that content into the agent's active context. The excerpt-based output mode means even a narrow keyword match surfaces surrounding sensitive content.

The skill's ability to keyword-search all historical transcripts makes it a capable reconnaissance tool if misused or if a future version of the script were modified. Queries for 'api key', 'bearer', 'password', 'secret', or 'token' would systematically surface sensitive material from all past sessions across all agents. Without external transmission, harm requires a second capability, but the combination risk is meaningful.

The workflow in SKILL.md requires the agent to execute scripts/search_sessions.py via python3. The current version of the script is clean — standard library imports only, no network calls, no subprocess invocations, no dynamic code execution. However, shipping an executable script that is directly invoked by the agent on every skill activation creates a supply-chain surface: a malicious future update to the script would execute with full user privileges under agent context.

The skill enumerates all directories under ~/.openclaw/agents/, not just the current agent's sessions. Users of multi-agent setups may have distinct agents for different purposes (work, personal, sensitive projects). This skill reads across all of them silently, potentially violating the user's implicit expectation of session isolation.

The skill description includes trigger phrases such as 'remember', 'remember when we discussed X', 'we talked about Y last week', and 'find that conversation about X'. These are common natural-language expressions that users also direct at in-session memory or general agent recall, not specifically at on-disk session logs. Over-triggering could result in the skill running and loading session transcripts when the user expected a simple in-context response.

The workflow explicitly instructs the agent to fall back to direct filesystem reads via the 'read' tool if sessions_history is unavailable. The sessions_history tool may enforce access controls, audit logging, or scoping that direct file reads bypass. Instructing the agent to use raw filesystem access as a fallback undermines any guardrails the tool API provides.

Inotifywait and auditd captured OPEN and ACCESS events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud application_default_credentials.json. Two access clusters are observed: one at 1771653688.497 (before git clone began at 1771653694) and one at 1771653709.613 (after install completed). Process-chain analysis of surrounding EXECVE records attributes both to the oathe audit system's baseline collection and post-install canary verification — no skill-initiated process explains the access. Canary integrity check confirms no modification.

Static analysis of the Python script confirms zero network activity. Imports are restricted to Python standard library. No requests, urllib, http.client, socket, subprocess, or similar modules present. All output is written to stdout. The script cannot exfiltrate data on its own.