ClawHub

Context Optimizer

v1.0.0

Advanced context management with auto-compaction and dynamic context optimization for DeepSeek's 64k context window. Features intelligent compaction (merging, summarizing, extracting), query-aware relevance scoring, and hierarchical memory system with context archive. Logs optimization events to chat.

14· 6.1k·45 current·49 all-time
by@ad2546
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code, README and examples match the stated purpose (context pruning, archive, query-aware compaction). However the skill metadata/registry claims 'no install spec' and 'no required binaries', while package.json and the SKILL.md indicate Node/npm and npm dependencies (tiktoken, @xenova/transformers) are required — a clear mismatch. The skill legitimately needs Node/npm and model dependencies for semantic features, so the registry/manifest omission is incoherent and worth flagging.
!
Instruction Scope
Runtime instructions and code perform expected operations (prune messages, compute tokens, store pruned content to an on-disk archive, run local embeddings). The archive writes message content and metadata to ./context-archive (or configured path) and the logger prints/logs message snippets to console/chat. Those behaviors can leak user content into disk or logs and should be considered when running with sensitive conversations. There are no instructions to read unrelated system files or to exfiltrate data to unexpected remote endpoints in the code, but logging/storage of message content is broad and may be undesirable in some environments.
!
Install Mechanism
There is no dangerous custom download URL or obfuscated installer; installation is via npm (package.json lists tiktoken and @xenova/transformers). That implies network downloads from npm and model downloads by @xenova at runtime (INSTALL.md even warns about an ~80MB model download). The SKILL.md metadata includes an install step that runs 'cd ~/.clawdbot/skills/context-pruner && npm install' — which assumes npm and a user path, but the top-level registry incorrectly states 'no install spec' and 'no required binaries'. This mismatch and the runtime model downloads increase risk and require user attention.
Credentials
The skill does not request credentials or environment variables and the code does not reference secrets or cloud credentials. It only needs filesystem write access for the archive and permission to install npm packages (Node/npm). The lack of credential requests is proportionate to the stated functionality.
Persistence & Privilege
The skill does persist data to disk (archive entries and an index) under a configurable path (default './context-archive') and may create directories under a user path if instructions are followed. It is not always-enabled and does not request elevated system privileges, nor does it modify other skills. Persisting message content to disk and logging it to chat/console is a persistence/privilege consideration the user should be aware of.
What to consider before installing
What to consider before installing: - Inconsistency: the registry/manifest claims no install or required binaries, but the package includes package.json and SKILL.md that require Node/npm and npm dependencies. Treat the skill as a Node package that needs npm install and Node 18+. - Network downloads: installing dependencies and running the embedding pipeline will download npm packages and model files (the transformers/embedder may fetch ~80MB models). If you need an air-gapped or private environment, do not install or prepare an approved mirror. - Data persistence & logging: the skill writes pruned content and metadata to an on-disk archive (default ./context-archive) and prints message snippets to logs/chat. Sensitive conversation content could be stored or appear in logs — review/override archivePath, disable chat logging (logToChat=false or set chatLogLevel='none'), and audit the onLog handler before use. - Verify origin: the homepage points to a GitHub repo but the skill source is listed as 'unknown'. Inspect the repository code locally, verify the publisher identity, and run tests in an isolated/sandbox environment (container or VM) before adding to production agents. - Audit dependencies: run 'npm audit' and review package.json. If you only need non-semantic strategies, consider disabling dependencies (tiktoken / @xenova/transformers) or using the lightweight path if available. If you decide to try it: run it in a sandbox, set archivePath to a controlled location, turn off chat logging, and inspect the code (especially any custom onLog handlers) before enabling in long-lived agents.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dyp3e6vyrte261ewbkbdmxh809t5w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis

Comments