Is session-logs safe?

https://clawhub.ai/skill/session-logs

78
CAUTION

The session-logs skill is a legitimate utility for searching conversation history, but it grants broad access to highly sensitive data (full conversation transcripts that may contain credentials, API keys, and personal information). While it contains no malicious code, hidden instructions, or exfiltration mechanisms itself, it significantly expands the attack surface by normalizing agent access to complete conversation history and providing ready-made search commands that could be leveraged in multi-skill attack chains.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH Bulk access to sensitive conversation history -30

The skill's core purpose is to provide shell commands for reading and searching through complete conversation transcripts stored in JSONL files. These transcripts contain user messages, assistant responses, tool call results, and cost data. Prior conversations may contain API keys, passwords, database credentials, or other secrets that users shared in context. The skill provides a 'search across ALL sessions' command that enables bulk credential harvesting.

MEDIUM Cross-platform communication metadata exposure -10

The sessions.json index maps chat providers (discord, whatsapp, etc.) to session IDs, exposing which communication platforms the user interacts through. This metadata could be used for social engineering or targeted attacks.

MEDIUM Shell command templates with glob expansion -15

The skill provides multiple bash command templates that use glob expansion (*.jsonl), piped commands, and shell loops. If session filenames or content contain shell metacharacters, these commands could behave unexpectedly. The commands are documentation-only but designed for agent execution.

MEDIUM Broad trigger condition for sensitive data access -8

The skill activates whenever the user asks about 'prior chats, parent conversations, or historical context that isn't in memory files.' This broad trigger means the agent may access full conversation history even when the user's intent is casual, potentially surfacing sensitive data unnecessarily.

MEDIUM Directs agent to read from sensitive home directory paths -10

The skill instructs the agent to access ~/.clawdbot/agents//sessions/ which contains the complete conversation history. While this is the skill's stated purpose, it normalizes agent access to a sensitive data store that most skills should not need.

MEDIUM Reconnaissance enabler for multi-skill attack chains -45

While benign on its own, this skill combined with any skill that has network access creates a dangerous pipeline: search session logs for credentials → exfiltrate via network. The skill effectively turns the agent into a credential search tool across all historical conversations.

LOW Requires external binary dependencies -5

The skill declares dependencies on jq and rg (ripgrep) binaries. These are well-known, trusted tools, but the skill's functionality depends on their availability.

LOW Cost data exposure via jq queries -10

The skill includes commands to extract per-session and daily cost data, which while useful for the user, exposes financial usage information that could be sensitive.

INFO Clean installation with expected network activity -10

Installation produced only expected files. Network traffic limited to DNS, mDNS, CUPS, and a single HTTPS connection to what appears to be the ClawHub registry (216.150.1.1:443). No firewall-blocked connections.