by 安全扫描
OpenClaw
可疑
medium confidence该技能的指令期望一个持久的 CLI/monitor,并进行广泛的文件系统扫描和磁盘持久化,但软件包未提供二进制文件或安装步骤——各部分无法衔接。
评估建议
This skill's SKILL.md describes a CLI and background monitor that write checkpoint files and scan project directories, but the package includes no binary or install steps — that mismatch is the main red flag. Before installing or using this skill: 1) Ask the publisher for the actual implementation/binary or an install script and inspect it; 2) Verify exactly what path will be used for SESSION_DIR and whether it will touch any directories with sensitive data (especially the 'skills' directory); 3...详细分析 ▾
⚠ 用途与能力
The skill claims to provide a session-tracking CLI and background monitor that checkpoints state to disk. However, the registry entry contains only SKILL.md (no code, no install). The README repeatedly refers to running a 'session-tracker' command and a background monitor process, which cannot exist unless the environment already supplies that binary or the package installs it. Hardcoded default paths (/home/z/my-project/...) and explicit monitoring of a 'skills' directory are plausible for a tracker, but require filesystem access and a real implementation — which is missing.
⚠ 指令范围
The instructions direct the agent to create and write persistent session files, run a background monitor (monitor.pid, microdump files), and actively scan multiple directories (download, upload, .session, skills). They also instruct reading session state and checking for orphaned sessions. This goes beyond a simple stateless helper: it instructs persistent disk writes and recursive filesystem monitoring, including a directory for 'skill invocations' which could reveal other agents' outputs. Because there's no code provided, it's unclear who/what should perform these actions and how.
⚠ 安装机制
No install specification or code files are provided, yet SKILL.md repeatedly references a CLI and a background monitor. An instruction-only skill that requires a custom binary or daemon but provides neither is incoherent and risky: it either assumes an out-of-band installation (not documented) or it will instruct the agent to create ad-hoc scripts/processes, which is unclear and potentially unsafe.
ℹ 凭证需求
The skill requests no environment variables or credentials, which is proportionate in that it doesn't ask for secrets. However, it requires broad filesystem access (read metadata and write persistent state under /home/z/my-project/) and will scan a 'skills' directory. That level of disk access is reasonable for a session tracker, but should be explicit and auditable — especially because it could expose other tools' outputs or sensitive files.
⚠ 持久化与权限
The skill's workflow creates persistent artifacts (state.json, worklog.jsonl, microdump files, monitor.pid, sentinel file) and expects a long-running background monitor. While 'always' is false, these instructions still establish on-disk persistence and a process model that survives conversation restarts. Without concrete install code or provenance, this persistence is a cautionary flag.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.1.02026/4/19
## v2.1 更新 | 功能 | v1 | v2 | v2.1 | |---------|----|----|----| | 卡住检测 | 仅微转储 | FS 扫描器 + 微转储 | 同上 | | 活动检测 | 仅手动 | 通过 `os.stat` 自动 | 同上 | | 文件读取 | 不追踪 | `--reading` + atime | 同上 | | 心跳 | 无 | `ping` 命令 | 同上 | | 文件重命名 | 不追踪 | `--rename` | 同上 | | TodoWrite 同步 | 无 | `sync` 命令 | 同上 | | 恢复信息 | 仅步骤 | 步骤 + 工作日志 | 同上 | | **元崩溃检测** | 无 | 无 | **ACTIVE sentinel + `crash-detect`** | | **孤立会话自动检测** | 无 | 无 | **`init` 警告崩溃会话** | | **工作日志中的崩溃标记** | 无 | 无 | **任何新 agent 可见崩溃** | | **恢复报告** | 无 | 无 | **`crash-detect` 命令** |
● 无害
安装命令
点击复制官方npx clawhub@latest install session-tracker
镜像加速npx clawhub@latest install session-tracker --registry https://cn.longxiaskill.com
技能文档
追踪、断点、续跑多步任务,永不再丢进度。
痛点
- 会话早夭——上下文超限、超时、工具失败、断线,任务半截时上下文全灭。
- 无恢复机制——
worklog.md随意书写,缺结构化状态。 - 元崩溃(溢出杀整段对话)最惨:代理没了,只剩文件没人读。
- 本工具用结构化断点、强制日志、文件清单、自动文件系统活动侦测、卡死检测、Gridman 局外人崩溃恢复解决。状态秒级落盘,任何崩溃后磁盘即“记忆”。
v2.1 更新
| 功能 | v1 | v2 | v2.1 | |---|---|---|---| | 卡死检测 | 仅微转储 | FS 扫描+微转储 | 同左 | | 活动侦测 | 手动 |os.stat 自动 | 同左 |
| 文件读取 | 不记 | --reading+atime | 同左 |
| 心跳 | 无 | ping 命令 | 同左 |
| 文件重命名 | 不记 | --rename | 同左 |
| TodoWrite 同步 | 无 | sync 命令 | 同左 |
| 续跑信息 | 仅步骤 | 步骤+工作日志 | 同左 |
| 元崩溃检测 | 无 | 无 | ACTIVE 哨兵+crash-detect |
| 孤立会话自测 | 无 | 无 | init 警告崩溃残留 |
| 崩溃标记写入 worklog.md | 无 | 无 | 新代理可见 |
| 恢复报告 | 无 | 无 | crash-detect 命令 | 会话文件
全部位于SESSION_DIR(默认 /home/z/my-project/.session/):
| 文件 | 用途 |
|---|---|
| state.json | 会话元数据+文件清单 |
| todo.json | 持久待办(会话死亡亦存,与 TodoWrite 同步) |
| worklog.jsonl | 结构化日志,每行一 JSON(抗崩溃) |
| microdump_curr.json | 当前心跳指纹+文件系统扫描 |
| microdump_prev.json | 上一心跳指纹(轮转对) |
| snapshot_prev.json | 上一文件系统快照(用于 diff) |
| monitor.pid | 后台监控进程 PID |
| SESSION_ACTIVE | 哨兵文件——存在=会话活跃,完成时删除。若会话结束后仍在,即元崩溃。 | 工作原理
文件系统扫描器(v2 核心)
每轮检查监控目录:/home/z/my-project/download/— 输出/home/z/my-project/upload/— 输入/home/z/my-project/.session/— 会话状态/home/z/my-project/skills/— 技能调用
记录各文件 size、mtime、atime。连续快照比对: | 事件 | 侦测法 | |---|---| | 新建 | 当前有、前无 | | 删除 | 当前无、前有 | | 修改 | size 或 mtime 变 | | 读取 | atime 变、mtime 未变(relatime) |
此为“存活”主信号。若扫描发现任何活动,即判任务存活,避免代理静默长耗时被判卡死。
双微转储轮转(兜底)
每 N 秒(默认 60)后台监控取微转储:含步骤 ID、工作文件 size/mtime、worklog 行数、文件系统扫描。轮转:curr→prev,新转储→curr。若 curr==prev(忽略时间戳与卡死计数)且文件系统无活动,则判潜在卡死。