Openclaw Context Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local context optimizer, but it automatically rewrites request context and includes under-scoped agent payment workflows that should be reviewed before use.

Install only if you are comfortable with a skill that can automatically rewrite prompts before model calls and keep local wallet-linked optimization records. Disable or avoid it for legal, medical, financial, security, or instruction-sensitive work unless you can review the compressed context. Do not connect a funded wallet or allow autonomous renewal without strict spending caps, recipient allowlists, and human approval; the included payment verification is not production-grade.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (22)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file claims 'No external servers or telemetry' and 'no API calls' in the privacy section, but elsewhere documents x402 subscription, verification, and license endpoints. That contradiction is security-relevant because it can mislead users into authorizing a skill that may perform external payment or license-verification traffic they were explicitly told would not occur.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The privacy representation is internally inconsistent: it says compression happens locally with no API calls, yet the same skill advertises HTTP API routes and payment verification endpoints. Even if some APIs are local-only, the documented x402 verification flow implies network interaction, which creates risk of unexpected data exposure, billing actions, or trust abuse through deceptive documentation.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: This migration introduces autonomous payment and Pro-tier billing infrastructure into a skill whose stated purpose is context optimization, which is a strong capability mismatch and suggests hidden monetization or unauthorized financial behavior. Even without executable logic in this file, the schema clearly enables wallet tracking, payment request handling, and entitlement granting, creating a foundation for charging agents or users outside the expected trust boundary.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file behavior does not align with the declared purpose of a context optimizer and instead provisions database tables for x402 payments, transaction verification state, and Pro-tier grants. In an agent skill, this kind of hidden financial capability is dangerous because it can be used to monetize, track wallets, or trigger billing-related workflows without users expecting financial operations from the skill.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The code grants paid Pro access after calling verifyTransactionOnChain(), but that function accepts essentially any txHash longer than 32 characters and does not verify recipient, amount, token, chain, sender, or confirmation status. An attacker can submit a fabricated or unrelated transaction hash to obtain paid features without making a real payment, directly bypassing licensing and revenue controls.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The document explicitly encourages autonomous renewal when ROI is positive, but it does not provide a strong, direct warning that this behavior can cause an agent to spend real funds without human approval. In the context of an agent skill, this is dangerous because users may wire a wallet into automation and the example normalizes recurring spending logic, increasing the chance of unintended or excessive fund transfers.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Telling operators to give an agent access to a funded wallet without a direct caution about delegation risk can lead to uncontrolled or poorly bounded asset spending. In this skill, the risk is amplified because the same document promotes autonomous purchasing and renewal, so wallet delegation is not theoretical but part of the intended workflow.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation states that context is automatically compressed before API calls, but it does not warn that this process may inspect, transform, persist, or otherwise handle sensitive user or agent data. In an agent skill, automatic pre-request processing can affect privacy, data minimization, and compliance expectations, especially if compressed content, analytics, or learned patterns are stored or reused.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly promotes autonomous paid upgrades and states 'No human approval needed,' which normalizes agent-initiated spending without an explicit consent boundary, authorization model, or spending safeguards. In an agent skill context, this is dangerous because operators may enable the skill expecting optimization behavior, while the documented design encourages real financial transactions that could be triggered without informed user approval.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README says the skill automatically intercepts request context before API calls and compresses it, but does not prominently warn that summarization/pruning can omit critical instructions, safety constraints, or user data needed for correct model behavior. Because this skill operates directly on model input context, silent modification can lead to degraded outputs, missed requirements, or unsafe downstream decisions.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation describes local storage of compression history, learning data, and payment records, but does not clearly warn that these artifacts may contain sensitive conversation content, derived summaries, or metadata tied to wallets and usage patterns. Local-only storage reduces external exposure, but it still creates a confidentiality risk on shared machines, backups, compromised endpoints, or improperly permissioned files.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill says it automatically intercepts request context, analyzes content, and stores compression patterns locally, but does not present a clear warning or consent boundary around modifying and persisting conversation data. Because this skill operates directly on potentially sensitive prompts and histories, silent interception/storage increases privacy and integrity risk if users assume their data is untouched or ephemeral.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation describes persistent storage of compression sessions, learned patterns, wallet identifiers, payment requests, transaction hashes, and feedback, but it does not mention privacy implications, consent, data minimization, retention limits beyond session cleanup, or handling of potentially sensitive context content. In a context optimizer, stored 'original/compressed context' may contain prompts, secrets, personal data, or proprietary information, so omitting privacy and retention guidance increases the risk of unsafe deployment and over-collection.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The hook records request- and response-derived metadata for ongoing learning, including agent identifiers, context lengths, success signals, and potentially original/compressed context content via pattern analysis, without any visible consent, notice, minimization, or redaction controls in this file. In a context-optimization skill, this creates a real privacy and data-governance risk because sensitive prompts, responses, or user-associated metadata may be retained and repurposed beyond the original request.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation shows sending compressed conversation history to an external API without any warning about sensitive data handling, redaction, consent, or trust boundaries. Compression reduces size but does not remove secrets by default, so users may incorrectly assume it is safe to transmit and could leak personal, confidential, or regulated data to third-party services.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The quick-start examples encourage sending compressed conversation/context directly to an API, but they omit any warning that compression can preserve sensitive user data, distort meaning, or drop important safety/instructional content. In a context-optimization skill, this is security-relevant because users may apply it to chat histories, prompts, or documents containing secrets, PII, or policy constraints and assume the output is safer to transmit simply because it is smaller.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly recommends compressing conversation history before an API call, but it does not warn that compression can remove, summarize, or alter user-provided content. In an agent or security-sensitive workflow, this can cause loss of constraints, safety instructions, consent boundaries, or critical factual details, leading to incorrect or unsafe downstream model behavior.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill automatically rewrites user-supplied context/prompt data before the request proceeds, without any visible confirmation, provenance marker, or safety guard. In an agent setting, silent prompt rewriting can alter user intent, remove critical instructions, or distort safety constraints, leading to integrity issues and potentially unsafe downstream actions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill persists compression-session metadata derived from user prompts and associates it with an agent wallet, but there is no evidence here of user notice, consent, minimization, or retention controls. Even if raw prompt text is not stored in this snippet, token counts, quality signals, strategy usage, and linkage to a wallet can still create privacy and behavioral profiling risks.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The storage layer persists both original_context and compressed_context, which may contain secrets, personal data, proprietary prompts, or other sensitive user content. Retaining full raw and transformed context materially increases breach impact, insider access risk, and unintended secondary use, especially for a tool whose purpose is optimization rather than archival storage.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The module logs raw transaction hashes during payment verification. While a tx hash is not a secret like a private key, it is still a payment identifier that can expose user payment activity, enable unwanted correlation of wallets and purchases, and leak financial metadata into centralized logs that may have broader access than the payment system itself.

Context Leakage

High

Category: Data Exfiltration
Content: // Check license status const license = optimizer.x402.hasValidLicense(agentWallet); // Log session summary console.log(`\n========================================`); console.log(`[Context Optimizer] Session ${sessionId} ended`); console.log(`========================================`);
Confidence: 94% confidence
Finding: Log session

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal