Context Shrink
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This hook is meant to shrink memories, but it contains automatic memory-file deletion and broad git shell commands that are not safely scoped.
Review carefully before installing. If you use it, restrict it to a disposable or well-backed-up workspace, fix the shell command handling, scope git operations to only the memory files, and confirm the cleanup threshold and retention policy match what you want.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or attacker-influenced workspace path could cause commands other than the intended git command to run with the user's local privileges.
The runtime workspace path is interpolated directly into a shell command. If that path contains shell metacharacters or unexpected spacing, the command can fail or execute unintended shell operations.
const workspaceDir = context?.workspaceDir || process.env.HOME + '/.openclaw/workspace'; ... execSync(`cd ${workspaceDir} && git add -A`, { stdio: 'pipe' });Avoid shell interpolation; use execFile/spawn with a cwd option, validate the workspace path, and quote or reject unsafe paths.
Unrelated local work could be staged and committed, and old memory logs could be removed automatically without a clear approval checkpoint.
The cleanup path deletes memory files and then stages every change in the workspace, not only the MEMORY.md and memory-log files managed by this skill.
fs.unlinkSync(filePath); ... execSync(`cd ${workspaceDir} && git add -A`, { stdio: 'pipe' });Require explicit user confirmation or a dry-run preview, limit git add to the exact files changed by the hook, and avoid deleting originals until a verified backup or commit succeeds.
Sensitive details or untrusted instructions from old logs may be preserved in long-term memory and influence future sessions.
The hook reads prior session memory files and writes selected content into persistent MEMORY.md for later reuse.
const content = fs.readFileSync(filePath, 'utf-8'); ... fs.writeFileSync(memoryMdPath, existingMemory + newMemory);
Review what is stored in memory, add secret/instruction filtering, and make clear how users can exclude files or disable persistent memory compression.
Users may not realize the hook depends on local git behavior until it runs or fails.
The hook documentation declares runtime binary requirements, while the registry requirements supplied for review list no required binaries.
requires: bins: ["node", "git"]
Declare git/node requirements consistently in registry metadata and document exactly what git commands will run.
Users may misunderstand when the hook will start deleting and compressing memory files.
The artifact gives conflicting trigger thresholds for an automatic cleanup action.
Auto-compresses session memories when context usage exceeds 60% threshold ... 当 context 使用率 ≥ 85% 时自动执行 ... CONTEXT_THRESHOLD = 0.85
Make the threshold and trigger conditions consistent across SKILL.md, HOOK.md, package metadata, and handler code.