Overkill Token Optimizer
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: broedkrummen-overkill-token-optimizer Version: 1.0.3 The skill is classified as suspicious due to a critical Remote Code Execution (RCE) vulnerability. The `cli.py` script executes an external `oktk` binary, whose path is determined by the `OKTK_BIN` environment variable (defined in `config.py`). If an attacker can control this environment variable (e.g., by setting `OKTK_BIN=/bin/sh`), they can execute arbitrary commands via the `token-optimizer compress <command>` functionality, as the user-supplied `<command>` is passed directly to the `subprocess.run` call. While the skill's stated purpose is benign, this vulnerability allows for unauthorized command execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this way gives external installer code the ability to run on the user's machine.
The framework documentation offers an unpinned remote installer script for the required oktk dependency; this is disclosed and purpose-related, but the installed code is outside the supplied artifacts.
curl -sSL https://get.oktk.io | sh
Prefer a verified package source, pin the oktk version, review the installer, and avoid piping remote scripts to a shell unless you trust the source.
If a destructive or unintended command is passed to compression, it could affect local files or systems just like running that command normally.
The compress command delegates arbitrary user-supplied commands to the external oktk binary. This is central to CLI output compression, but it means the command runs with the user's local permissions.
subprocess.run([OKTK_BIN, "compress", "--"] + command, capture_output=False, text=True, timeout=300)
Use compress only with commands you explicitly chose and reviewed; avoid destructive commands and keep human approval for high-impact operations.
Local session history can become searchable and persist in an index under the OpenClaw workspace directory.
The skill indexes and searches local OpenClaw workspace memory files and stores a persistent session index. This is purpose-aligned, but session memory may contain private conversation history.
SESSION_INDEX_DIR = WORKSPACE_DIR / ".session_index"; SESSION_DIR = WORKSPACE_DIR / "memory"; SESSION_PATTERN = "*.md"
Review what is stored in the workspace memory directory before indexing, delete the .session_index directory if needed, and avoid indexing sensitive sessions.