Is session-logs safe?

https://clawhub.ai/guogang1024/session-logs

52
CAUTION

session-logs is a markdown-only skill with no executable code, clean install behavior, and intact canary files. However, it provides the agent with broad access to all historical conversation transcripts via shell commands, creating a significant data exposure risk. Session logs may contain API keys, passwords, PII, and sensitive tool outputs from prior conversations. The skill also instructs the agent to parse its own system prompt for configuration data. While not malicious on its own, it creates a high-value attack surface for skill-chaining scenarios where a companion skill could search session history for credentials and exfiltrate them.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 30/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 25/100 · 5%

Findings (10)

CRITICAL Full session history access exposes secrets from prior conversations -50

The skill directs the agent to read all JSONL session transcripts, which may contain API keys, passwords, database credentials, PII, and other sensitive information that users shared in previous conversations. The 'rg -l phrase' command across ALL sessions makes bulk scanning trivial.

HIGH Session logs contain tool outputs with sensitive data -20

Session JSONL files include toolResult entries from prior conversations. If a user previously ran commands that output file contents, database results, or credential lookups, those results are stored in the session logs and become searchable by this skill.

HIGH Skill instructs agent to parse its own system prompt -20

The skill tells the agent to extract the agentId from the system prompt Runtime line. This establishes a pattern of the agent introspecting on its own system prompt, which could be exploited by more malicious skills to extract other system-level configuration.

MEDIUM Broad activation trigger enables unsolicited shell command execution -15

The skill activates on vague triggers like 'historical context that isn't in memory files', which could cause the agent to run jq/rg shell commands when the user merely references something from a prior conversation, without explicitly requesting a session log search.

MEDIUM Shell command templates with glob expansion and pipe chains -15

The skill provides numerous bash one-liners with glob expansion, piped commands, and awk processing. While read-only in nature, these commands run in the agent's shell with the user's permissions and operate on sensitive data.

MEDIUM Skill-chaining attack vector for credential extraction -40

This skill alone doesn't exfiltrate data, but it normalizes the agent accessing full conversation history. A companion malicious skill could leverage session-logs to search for 'password', 'api_key', 'token', etc. across all sessions and exfiltrate the results.

LOW No executable code, install scripts, or hooks -5

The skill contains only a markdown file and metadata JSON. No package.json scripts, git hooks, submodules, or symlinks were detected. This is a positive finding.

LOW Sensitive file reads during install are runtime artifacts -15

The .env, .aws/credentials, and .openclaw/openclaw.json reads observed during monitoring are from the OpenClaw runtime bootstrap, not from the skill itself. The skill has no install-time code.

INFO All honeypot canary files intact 0

No canary files were accessed or modified during the skill's installation and evaluation. No exfiltration via honeypots detected.

INFO Zero network activity during clone and install 0

No outbound network connections were made during the skill installation. No DNS queries, HTTP requests, or blocked firewall events were observed from the skill itself.