context-manager
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The bash script 'compress.sh' performs destructive file system operations by deleting session JSONL files ('rm') to reset agent sessions. It also interacts with the 'openclaw' system CLI to query session status and send messages.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface. It reads untrusted conversation history from session files and passes it to the agent for summarization. The resulting output is used as the primary context for a new session without sanitization or strict boundary enforcement.
- [PROMPT_INJECTION]: Ingestion points: Reads conversation history from .jsonl files in the ~/.openclaw/ directory (file: compress.sh).
- [PROMPT_INJECTION]: Boundary markers: Uses simple markdown separators which may not prevent the agent from following instructions embedded in the summarized history (file: compress.sh).
- [PROMPT_INJECTION]: Capability inventory: The script has permissions to read, write, and delete files in the agent's session directory and can initiate new messages to the agent (file: compress.sh).
- [PROMPT_INJECTION]: Sanitization: There is no filtering or validation of the summary text before it is re-injected into the agent's context.
Audit Metadata