warn
suspicious.prompt_injection_instructions
- Location
- references/compression-techniques.md:210
- Finding
- Prompt-injection style instruction pattern detected.
claw-compactor
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.prompt_injection_instructions
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Past session transcripts may contain private prompts, tool outputs, file paths, secrets, or project details; this skill can summarize and store those details in workspace memory where future agents may reuse them.
Why it was flagged
The observe command scans every JSONL file in the user's global OpenClaw sessions directory and persists derived observations and tracking data in the target workspace. The artifacts do not show workspace scoping, sensitivity filtering, retention limits, or exclusions.
Skill content
sessions_dir = os.path.expanduser("~/.openclaw/sessions") ... session_files = sorted(Path(sessions_dir).glob("*.jsonl")) ... obs_file.write_text(md, encoding="utf-8") ... tracker_path.write_text(...)Recommendation
Require an explicit session directory or current-workspace filter, add exclusions and retention controls, show a preview before writing observations, and review generated memory before allowing future agents to use it.
What this means
Users may overwrite or rely on compressed memory believing all important details were preserved when some context could have been omitted or distorted.
Why it was flagged
This strong assurance can make users trust lossy outputs as complete. The provided observation-compression code also truncates tool inputs/outputs and extracts limited lines, so complete fact preservation is not guaranteed.
Skill content
*Lossy techniques preserve all facts and decisions; only verbose formatting is removed.
Recommendation
Treat lossy modes as summaries, not backups. Keep originals, run dry-runs/diffs, and update the documentation to clearly warn that facts can be missed.
What this means
Workspace memory or documentation can be changed in place, which may affect future agent behavior or remove formatting/context.
Why it was flagged
The optimize command rewrites collected markdown files unless --dry-run is used. This is purpose-aligned for a compressor, but it is still local data mutation.
Skill content
if not dry_run:
f.write_text(optimized, encoding="utf-8")Recommendation
Run benchmark or --dry-run first, keep backups or version control, and inspect diffs before accepting rewrites.
What this means
If scheduled, the skill may continue rewriting memory and processing sessions without a fresh manual review each time.
Why it was flagged
The documentation gives an optional scheduled execution pattern that can keep processing and modifying the workspace after setup. It is disclosed and user-directed, not hidden persistence.
Skill content
## Heartbeat Automation Run weekly or on heartbeat: ... Cron example: 0 3 * * 0 cd /path/to/skills/claw-compactor && python3 scripts/mem_compress.py /path/to/workspace full
Recommendation
Only schedule it after testing, log its output, prefer dry-run/benchmark checks, and keep versioned backups.
What this means
Future agents may treat the generated decompression instruction as authoritative context interpretation guidance.
Why it was flagged
The skill intentionally creates instructions that tell a model how to interpret compressed context. This is aligned with the compression feature, but it is prompt-shaping behavior.
Skill content
Generates ultra-compressed context + decompression instructions for system prompts. ... "Expand naturally when responding."
Recommendation
Keep decompression instructions narrow and non-authoritative, and do not mix compressed context from untrusted sources into system-level prompts.
What this means
If a user clones or installs from a different revision than the reviewed artifact, they may run code that was not reviewed here.
Why it was flagged
The setup example uses an unpinned external repository and optional package installation rather than a pinned install spec. This is a provenance note, not evidence of malicious code.
Skill content
git clone https://github.com/aeromomo/claw-compactor.git ... Optional: `pip install tiktoken`
Recommendation
Install from the reviewed package when possible, or pin and inspect a specific commit and dependency version before running.