ClawHub

OpenClaw Token Optimizer

Security checks across malware telemetry and agentic risk

Overview

This token-saving skill appears local and purpose-aligned, but it needs Review because it writes persistent OpenClaw workspace files despite repeatedly claiming no system modifications.

Review before installing. The code does not show malware or network exfiltration, but treat it as a state-changing OpenClaw workspace tool, not a read-only optimizer. Back up your existing HEARTBEAT.md and AGENTS.md, verify the published package includes the assets listed in .clawhubsafe, and only run the heartbeat/install commands if you are comfortable changing persistent agent behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Scope Creep

High
Confidence
96% confidence
Finding
The script persists usage data under ~/.openclaw/workspace/memory/context-usage.json, which contradicts the skill metadata claim of 'no system modifications.' This mismatch is dangerous because operators may trust the skill as non-modifying and deploy it in sensitive environments where even local writes can leak behavioral metadata, create unauthorized state, or violate policy assumptions.

Scope Creep

High
Confidence
97% confidence
Finding
The generate-agents command writes ~/.openclaw/workspace/AGENTS.md.optimized, again violating the stated 'no system modifications' behavior. This is risky because it can silently introduce authoritative-looking operational instructions into the workspace, potentially influencing future agent behavior or confusing users who believed the skill was analysis-only.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The `heartbeat` command copies a file into `${HOME}/.openclaw/workspace/HEARTBEAT.md`, which is a persistent filesystem modification. That contradicts the stated metadata claim of 'no system modifications' for the executable scripts, creating a trust and transparency issue and enabling unexpected changes to user state when the wrapper is run.

Scope Creep

High
Confidence
97% confidence
Finding
This branch performs a direct write into a user-scoped workspace path under `$HOME` despite the skill description claiming no system modifications. Even though the content copied is local and the action appears functional rather than malicious, undisclosed writes to user files are security-relevant because they can overwrite expected state, alter agent behavior, and violate operator assumptions about what the skill is allowed to change.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script installs `HEARTBEAT.md` into the user's home directory without any confirmation, preview, or overwrite protection. In the context of an agent skill, silently replacing or creating operational files is risky because users may invoke a convenience wrapper expecting read-only optimization helpers, while this command changes persistent configuration-like state.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal