openclaw-agent-transcript
Pass
Audited by Gen Agent Trust Hub on Jul 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script executes local binaries, specifically spawning
codexfor log-thread processing and using the system'sopencommand to display HTML previews. This execution is limited to local tools and is consistent with the skill's management of agent workflows. - [DATA_EXFILTRATION]: The skill accesses sensitive local directories containing agent session logs, such as
~/.claude/projects,~/.codex/sessions, and~/.openclaw/agents. This access is fundamental to the skill's utility and is mitigated by a redaction engine that removes common secrets, PII, and authentication headers. The skill explicitly avoids network calls. - [PROMPT_INJECTION]: By processing and rendering untrusted data from previous session logs, the skill creates an indirect prompt injection surface.
- Ingestion points: Local JSONL session logs found in agent-specific home directory subfolders.
- Boundary markers: Transcript content is delimited by
<!-- agent-transcript:start -->and<!-- agent-transcript:end -->markers. - Capability inventory: Local file system read/write capabilities and the ability to spawn local processes (
codex). - Sanitization: Implements automated regex redaction for secrets and PII, alongside HTML escaping for generated previews, to prevent malicious content from influencing the agent or user.
Audit Metadata