session-logs
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary function is reading external/historical data into the current agent context. * Ingestion point: .jsonl session files in ~/.openclaw/agents/. * Boundary markers: None. * Capability inventory: Access to bash, jq, and rg for complex data processing. * Sanitization: None. If a prior session contained malicious instructions, this skill will re-inject them into the current session.
- [Command Execution] (MEDIUM): The bash command examples provided use placeholders like and . If the agent populates these from untrusted sources without strict validation, it could lead to shell command injection (e.g., via maliciously crafted session filenames).
- [Data Exposure] (MEDIUM): While intended, the skill grants unrestricted access to sensitive historical logs, including full transcripts and usage/cost metadata, which increases the impact if the agent is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata