Is clawdbot-logs safe?

https://clawhub.ai/satriapamudji/clawdbot-logs

68
CAUTION

This skill is a legitimate clawdbot diagnostics tool that provides log analysis and session monitoring capabilities. However, it instructs the agent to access sensitive user data including full conversation history, session metadata, and configuration files. While no exfiltration mechanism exists within the skill itself, the broad data access pattern creates privacy concerns and could be exploited in combination with other skills.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 42/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

HIGH Access to full user conversation history -30

SKILL.md instructs the agent to read ~/.clawdbot/agents/main/sessions/*.jsonl files which contain the complete conversation history including all user messages, assistant responses, token usage, and cost data. The skill also explicitly parses user messages with jq: select(.message.role=="user") | .message.content[0].text. This gives the skill-directed agent access to all prior user inputs.

MEDIUM Access to bot configuration file -15

The skill instructs the agent to read and parse ~/.clawdbot/clawdbot.json for config validation. This file may contain API keys, authentication tokens, bot tokens, or other sensitive configuration values depending on the clawdbot setup.

MEDIUM Access to session metadata with model and token info -13

The skill reads ~/.clawdbot/agents/main/sessions/sessions.json which contains session IDs, model provider info, total tokens, context window sizes, compaction counts, and channel information. This metadata could be used to fingerprint the user's setup.

MEDIUM Executable shell scripts with broad system access -25

The skill includes two bash scripts that execute journalctl, systemctl, jq, awk, and other system commands. While the scripts themselves appear benign and focused on log analysis, they establish shell execution as a normal pattern. The scripts read from system journals and user home directory files.

LOW Journalctl access exposes system service logs -10

Multiple commands instruct the agent to read systemd journal logs via journalctl which may contain sensitive operational information beyond just the clawdbot service, depending on journal configuration and access controls.

LOW Wildcard glob on session directory -10

The skill uses a wildcard glob ~/.clawdbot/agents/main/sessions/*.jsonl which could match more session files than intended, potentially exposing data from multiple sessions or agents.

INFO Skill description is appropriately scoped -10

The SKILL.md description and frontmatter accurately describe the skill's functionality (log analysis and diagnostics). No hidden instructions, override attempts, or deceptive framing detected.

INFO Runtime environment reads .env and .aws/credentials -5

The filesystem monitoring shows access to /home/oc-exec/.env and /home/oc-exec/.aws/credentials during the install/clone phase. However, these accesses are attributable to the openclaw runtime environment initialization, not the skill itself. The .aws/credentials file was opened but timing aligns with the openclaw gateway startup sequence.