ClawHub

claw-compactor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real compression tool, but it warrants Review because it can read private OpenClaw session transcripts, rewrite workspace files, and add future automation with limited warnings.

Install only if you are comfortable with the tool processing local OpenClaw transcripts and rewriting workspace memory files. Run `benchmark` and command-specific dry runs first, keep version-control or backups, avoid `full` on important workspaces until you have reviewed what it touches, and do not use the heartbeat/cron automation unless unattended compression is explicitly acceptable. Treat `.codebook.json` and observation summaries as sensitive artifacts that may contain private paths, commands, transcript-derived facts, or secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation advertises capabilities that include file reads/writes, shell execution, and network access, yet it does not declare permissions or boundaries for those actions. This reduces transparency and can cause an agent or user to invoke a skill with broader operational reach than expected, increasing the chance of unsafe file modification or data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The stated purpose frames the skill as a compression toolkit, but the documented behavior extends into auditing, deduplication, summarization, tokenizer optimization, automation installation, and reading/writing additional session-tracking artifacts. This mismatch is dangerous because users may consent to a narrow transformation while the skill performs broader analysis, persistence, and unattended modification of workspace state.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation explicitly shows a codebook storing and preserving sensitive values such as secret tokens and SSH-related identifiers, which normalizes retention of credentials inside compression artifacts. Even if intended as lossless compression, this expands the skill's handling of secrets and creates additional exposure points through codebooks, logs, backups, and downstream sharing.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The compressed context protocol is designed to emit decompression instructions for insertion into another model's system prompt, which crosses from file compaction into prompt-shaping of downstream models. That creates a prompt-injection and trust-boundary risk because compressed content and its expansion rules can influence higher-privilege model behavior in ways not obvious to users.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The install command adds persistent automation instructions into HEARTBEAT.md, which materially expands the skill from a one-shot compression utility into something that can influence future agent behavior. That persistence is security-relevant because it can cause later automatic execution of workspace-modifying commands without an explicit warning or narrowly scoped consent at install time.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The observe command reads from ~/.openclaw/sessions, which is outside the provided workspace and may contain unrelated or sensitive user transcripts. It then derives observations and stores them in the workspace, creating a cross-boundary data flow from global private data into project files without strong user awareness or explicit scoping.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
Even though benchmark only counts files, it still probes a user-global session directory unrelated to the workspace and reports that information in a compression report. This broadens the command's visibility into local user data and can leak environmental metadata that the user did not expect the benchmark to access.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The test suite enumerates and reads session transcript files from the user's home directory (`~/.openclaw/agents/main/sessions/*.jsonl`), which are likely to contain sensitive prompts, tool outputs, credentials, or private workspace content. Even though this appears in test code, it exercises access to unrelated local data outside the declared workspace-compaction scope, making the skill more dangerous because running tests can silently process personal data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README presents `full` as a simple one-command optimization workflow but does not clearly warn that it modifies workspace files, creates artifacts, and can apply lossy transformations. In an agent or automation context, this can lead users to run the command on important data without backups or review, causing unintended file changes and potential loss of fidelity in memory/session content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The quick-start path recommends running the full pipeline immediately after a benchmark, but the documentation does not prominently warn that the command writes artifacts and includes lossy stages. Users may run it assuming safe optimization and unintentionally alter or irreversibly condense workspace memory content without backup or review.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The heartbeat and cron examples encourage unattended execution of the full pipeline, which can repeatedly modify memory files and summaries without human review. In context, this is more dangerous because the skill performs lossy compression and transcript processing, so automated runs can accumulate corruption, drop useful context, or overwrite state based on stale assumptions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation depicts sensitive tokens being stored in the codebook and reused during roundtrip recovery without any warning about credential retention, leakage, or access control. In a compaction skill, this is especially risky because users may assume size optimization is low-risk while the implementation may actually duplicate secrets into new persistent files.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented workflow scans all workspace markdown files and session transcripts, which can collect broad contextual and potentially sensitive information without any visible consent, minimization, or scope limits. Because the skill is positioned as a compactor, this broad ingestion is more dangerous than expected and increases the chance of unintended processing of private data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script overwrites the input file by default when not using --dry-run and does so without an explicit confirmation prompt, backup, or prominent warning. In a memory-compression tool, this can silently destroy or irreversibly alter user data, especially because the compression logic is lossy and may also prepare content for downstream LLM handling.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The function writes a .prompt.md file containing the source content embedded in an LLM prompt without clear disclosure or confirmation. Because memory files may contain sensitive operational details, this creates an unexpected secondary artifact on disk that can expand the exposure surface through indexing, syncing, or later exfiltration.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The codebook is built from workspace-derived n-grams, IP prefixes, and filesystem path prefixes, then persisted to disk without any consent, notice, minimization, or sensitivity filtering. In this skill context, that can preserve fragments of internal paths, network layout, and repeated sensitive phrases from workspace memory files, creating a durable metadata leak beyond the original source files.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The command processes potentially private local transcripts and writes both extracted observations and a tracking file into the workspace without a clear warning. This can silently persist sensitive summaries from unrelated sessions into project storage, where they may be committed, shared, or read by other tools.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The optimize command rewrites markdown files in place across the workspace unless dry-run is set, but the interface does not strongly warn that original content will be modified. In-place transformation of user documents can cause unintended data loss, semantic corruption, or destructive changes that are hard to review afterward.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The full pipeline chains together transcript observation, file compression, codebook creation, and other write operations, yet presents itself as a single workflow without a consolidated warning about all side effects. Because it mixes workspace modification with cross-boundary transcript ingestion, a user may trigger multiple persistent changes without understanding the breadth of actions performed.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The install command modifies or creates HEARTBEAT.md, changing workspace configuration and embedding future-action guidance, but it does not present this as a significant persistent modification. Users may not realize they are altering agent-operational behavior in the repository rather than just enabling a local utility.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
In JSON mode, the script prints the full `results` structure to stdout, and that structure includes `observations` and can include `llm_prompt`, both derived from session transcript content. Session transcripts may contain secrets, internal paths, commands, or sensitive tool outputs, so emitting them directly to stdout without an explicit warning, redaction, or opt-in acknowledgement can cause accidental disclosure in terminals, logs, CI pipelines, or shell history capture.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This benchmark recursively reads all Markdown files from a fixed real workspace path and aggregates their contents for processing without any explicit consent, warning, or sandboxing. Even though it is a test file, running it can unintentionally ingest sensitive notes, credentials, internal docs, or proprietary text from the host environment, and those contents may then be exposed through logs, failures, or downstream tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code reads and compresses local session transcripts without any user-facing disclosure, consent, or prominent warning, despite those transcripts potentially containing highly sensitive conversational and operational history. In the context of a compaction skill, this is more dangerous because the functionality is framed as performance testing, which may lead users to run it without realizing it touches private session data from their home directory.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal