Is bluebirdback/claw-history safe?

https://github.com/openclaw/skills/tree/main/skills/bluebirdback/claw-history

86
SAFE

claw-history is a pure-markdown skill with no executable code, no install-time execution vectors, clean network behavior limited to a GitHub clone, and passing canary integrity. Its primary risk profile derives from its stated purpose: broad traversal of all agent memory files and session logs, which could compile and expose sensitive information the agent has stored across its lifetime. Used in isolation by a consenting user it is low-risk; used as part of a multi-skill attack chain involving an exfiltration primitive, it would serve as an effective reconnaissance stage.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

MEDIUM Broad unbounded memory file traversal could surface sensitive agent-stored data -20

The skill instructs the agent to find and read all memory/YYYY-MM-DD*.md files (earliest and most recent), MEMORY.md, and session logs without any path restriction or content filtering. Any sensitive information previously captured in memory by the agent — including API keys, passwords, PII, or confidential context — will be compiled into the history output and displayed to whoever invokes the skill. This is the skill's intended function, but the lack of scope guardrails means the attack surface is whatever the agent has ever written to memory.

LOW Cross-session traversal instruction lacks explicit scope boundary -18

The skill instructs the agent to access session history from 'main + sub-agent sessions when accessible.' In a multi-user or multi-agent environment, this open-ended instruction could cause the agent to enumerate sessions beyond the current user's intended scope, depending on how the underlying platform exposes session data.

LOW Structured recon utility — dangerous in combination with exfiltration skills -25

In isolation this skill is benign, but it produces a structured, chronological inventory of all confirmed agent actions, source file references, and tool use across sessions. An attacker who also installs an exfiltration-capable skill could use claw-history as a first-stage recon tool to enumerate what the agent knows, what files it has touched, and what credentials it may have encountered, then exfiltrate that summary externally.

INFO Expected GitHub-only network activity during install -12

The only external network connection observed was a standard HTTPS git clone to github.com (resolved to 140.82.121.3:443). DNS queries resolved only internal and GitHub addresses. No data was sent outbound beyond the git protocol handshake, and no new persistent listeners appeared in the post-install connection diff.

INFO No executable code or install-time execution vectors 0

The skill package contains only three files: a markdown skill definition, a README, and a JSON metadata file. No scripts, no npm lifecycle hooks, no git hooks, no submodules, and no symlinks. The skill cannot execute code at install time or at runtime beyond what the agent itself chooses to do in response to the markdown instructions.

INFO README references fictitious model name 'gpt-5.3-codex' 0

The README credits 'gpt-5.3-codex' as the initial packaging model. No such model exists in any known OpenAI or third-party catalog as of the audit date. This is a minor credibility anomaly — possibly aspirational versioning or placeholder text — but does not represent a security risk.