context-manager
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
compress.shscript performs file system operations, including the deletion of session data files in~/.openclaw/agents/when the--replaceflag is used. This is the intended destructive behavior of the skill to reset session context. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8). It asks the agent to summarize its current session history and then injects that unvalidated output as the initial prompt of a new session. This creates a multi-step chain where malicious instructions present in the original history could persist across session resets.
- Ingestion points: Reads full conversation history from session files in
~/.openclaw/agents/(e.g., incompress_sessionandcmd_ai_summarize). - Boundary markers: Absent. The agent-generated summary is interpolated directly into the injection message without delimiters or instructions to ignore embedded content.
- Capability inventory: The skill can read and delete session files and invoke the agent with arbitrary messages using the
openclawCLI. - Sanitization: No validation or sanitization is performed on the summary text returned by the agent before it is used to initialize the next session.
Audit Metadata