openclaw-history-ingest
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive local file paths to identify the user's workspace and vault. It reads from the
.envfile and the~/.openclawdirectory, which may contain sensitive configuration and session metadata. - Evidence:
SKILL.mdinstructs the agent to readOBSIDIAN_VAULT_PATHandOPENCLAW_HISTORY_PATHfrom the vault's.envfile. - Evidence:
SKILL.mddirects the agent to scan and process files within~/.openclaw/workspace/and~/.openclaw/agents/*/sessions/. - [PROMPT_INJECTION]: The skill processes untrusted data in the form of past agent transcripts and memory files, which could contain malicious instructions designed to influence the agent's behavior during the distillation process.
- Ingestion points:
~/.openclaw/workspace/MEMORY.md,~/.openclaw/workspace/memory/*.md, and~/.openclaw/agents/*/sessions/*.jsonl(as described inSKILL.md). - Boundary markers:
SKILL.mdincludes instructions to "Summarize; do not quote raw transcripts verbatim" and to apply a "Critical privacy filter," though these are soft constraints. - Capability inventory: The skill allows the agent to create and update Markdown files within the Obsidian vault (
SKILL.md, Step 6). - Sanitization:
SKILL.mdprovides explicit instructions to "Remove API keys, tokens, passwords, credentials" and redact private identifiers during processing.
Audit Metadata