ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Token Optimizer

v1.0.0

Optimize OpenClaw token usage and cost by auditing context injection, trimming workspace files (AGENTS.md/SOUL.md/MEMORY.md and daily memory), enabling promp...

3· 2.4k·9 current·9 all-time
by@ccjingeth
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md explicitly audits OpenClaw config and workspace injections and produces openclaw.json patches and trimming plans. It does not request unrelated binaries, credentials, or config paths.
Instruction Scope
The runtime instructions ask the agent to locate and inspect local OpenClaw config files and injected workspace files (e.g., ~/.openclaw/openclaw.json, AGENTS.md, MEMORY.md, memory/YYYY-MM-DD.md). That behavior is proportionate to a token-optimization audit, but it means the agent will be guided to read local files and suggest edits; the SKILL.md does not include explicit safeguards (backup/review steps) before applying changes, so the user should review any proposed edits before applying them.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low-risk from an installation/execution perspective (nothing is downloaded or written by an installer).
Credentials
The skill declares no required environment variables, credentials, or config paths. Mentioned filesystem paths are reasonable and relevant for the stated purpose (auditing OpenClaw config and workspace files).
Persistence & Privilege
always:false and no install means the skill does not request forced persistence. The skill's recommendations (e.g., enabling heartbeats, cache warmers, compaction, cron changes) could increase automated activity or change runtime behavior if applied — users should consider these operational effects before applying changes. Autonomous invocation (disable-model-invocation:false) is platform-default and not by itself a red flag.
Assessment
This skill is internally consistent and appears to do what it says: audit configs and recommend concrete openclaw.json edits and workspace trimming. Before installing or following its recommendations, backup your openclaw.json and workspace files and review any config patches the skill provides. Be cautious about: (1) automated 'heartbeat' or cron recommendations that could increase API calls if applied without adjustment, (2) compaction/memory-flush prompts that change where session content is stored, and (3) any advice that instructs the agent to search or modify many files — run that with explicit user approval. Verify suggested JSON keys are supported by your OpenClaw version/provider before applying, and roll out changes in stages (quick wins first) as the skill itself recommends.

Like a lobster shell, security has layers — review code before you run it.

latestvk978w3e0wc2ppkdtrbwed5tfns81adhq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments