context-manager
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill documentation describes the script
compress.shperforming destructive file system operations, specifically deleting session JSONL files in~/.openclaw/agents/{agent}/sessions/. While this is the intended method for resetting sessions, such high-privilege file manipulation presents a risk if the script logic is exploited. - [PROMPT_INJECTION] (LOW): Vulnerable to Indirect Prompt Injection (Category 8). The skill reads session history (untrusted data) and generates an AI summary that is then injected as the first message of a fresh session. If the history contains malicious instructions, they could influence the summary or the behavior of the subsequent session.
- Ingestion points: Raw session history from JSONL files, which may include inputs from external users or integrations like Slack.
- Boundary markers: Absent. The summary is injected as the primary context for the new session without explicit delimiters or instructions to ignore embedded commands.
- Capability inventory: Includes file deletion (
rmequivalent), file writes tomemory/compressed/, and command execution viaopenclaw agentandopenclaw sessions. - Sanitization: No evidence of sanitization or filtering of conversation history prior to the summarization step.
Audit Metadata