Is session-compressor safe?

https://clawhub.ai/nicobailon/session-compressor

72
CAUTION

This skill is effectively empty — it failed to install and contains no SKILL.md or executable code. The only content is a lock.json referencing a different skill name ('academic-research-hub'). The primary concern is that the install process accessed sensitive files (.env, .aws/credentials, auth-profiles.json) as part of the OpenClaw platform's initialization, though no data was exfiltrated. The skill poses minimal active threat but the mismatched metadata and sensitive file access patterns warrant caution.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (6)

MEDIUM Sensitive file access during install -40

The install process opened and read /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json. These files contain secrets and credentials. While this appears to be the OpenClaw platform's initialization behavior rather than skill-authored code, the skill triggered this code path.

LOW Shell profile files accessed -15

Multiple reads of .profile and .bashrc were observed, which could expose environment variables, aliases, and PATH configurations.

MEDIUM Credential file reads despite install failure -30

The skill failed to install ('Skill not found'), yet the OpenClaw runtime still accessed .env and .aws/credentials during the failed attempt. This means even non-existent skills trigger sensitive file reads.

LOW Mismatched skill name in lock.json -15

The lock.json file references 'academic-research-hub' as the installed skill, not 'session-compressor'. This name mismatch is anomalous and could indicate a misconfigured, repurposed, or deceptive repository.

INFO No network egress detected 0

Despite sensitive file reads, no outbound network connections were observed. The VM firewall did not block any connections either, meaning no exfiltration was attempted.

INFO Empty SKILL.md — no prompt content 0

The skill contains no SKILL.md file, meaning it injects nothing into the agent's system prompt. There are zero prompt injection vectors from this skill.