Tide Watch
v1.3.6Proactive session capacity monitoring and management for OpenClaw. Prevents context window lockups by warning at configurable thresholds (75%, 85%, 90%, 95%)...
⭐ 0· 562·1 current·1 all-time
byGiddy@chrisagiddings
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill is described as a hybrid: directives-only monitoring (no code install) plus an optional Node.js CLI for manual management. The manifest, SKILL.md, file list (bin/, lib/), and install spec align with that description. The required config path (~/.openclaw/agents/main/sessions/) is coherent with session-monitoring and archive operations.
Instruction Scope
SKILL.md limits operations to reading and optionally writing OpenClaw session files and resume-prompts in the declared sessions directory. Instructions explicitly separate a safe Directives-Only mode (no code execution) from an optional CLI mode that performs local read/write and archiving. The directives do not instruct the agent to read unrelated sensitive locations or exfiltrate data.
Install Mechanism
Install is an optional local npm install/link of the packaged code (package: "." → npm link). This is an expected and common pattern for CLI tools; it requires manual user action and inspection. No remote arbitrary downloads, no install hooks (package.json scripts only include tests). Risk is moderate only because installing executable code always requires review — the skill documents that and includes source and tests.
Credentials
No credentials requested. The only environment usage is an optional OPENCLAW_SESSION_ID (declared) for auto-detecting the current session; HOME is used via os.homedir() to locate ~/.openclaw. Requested config paths are appropriate for the stated purpose. No unrelated secrets or broad env access are required.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). The skill does not request persistent elevated presence beyond being available as an optional skill; autonomous monitoring only runs if the user adds directives/heartbeats. CLI install is opt-in and does not modify other skills' configs.
Scan Findings in Context
[DOCS_CODE_MISMATCH] unexpected: Scanner previously flagged mismatch between claims of 'instruction-only' and presence of code. The project updated documentation and SKILL.md to describe the hybrid model; source code is present and matches the CLI functionality described.
[UNDECLARED_ENV_VAR_OPENCLAW_SESSION_ID] expected: An earlier scan reported an undeclared env var. The changelog and SKILL.md now declare OPENCLAW_SESSION_ID as optional; its use is limited to auto-detection of the current session and is proportionate to the feature.
[SHELL_INJECTION_CVE_2026_001] expected: A shell-injection vulnerability was disclosed (v1.0.0) for resume-prompt editing; the advisory and SKILL.md state it was patched in v1.0.1 (execSync→spawnSync). This historical finding is explained and fixed; users should verify they install a patched version.
Assessment
This skill is coherent with its description: prefer the Directives-Only mode if you want minimal risk (no code installed). If you need the CLI tools: 1) only install the CLI manually (git clone + npm link) if you understand it and trust the repository; 2) confirm the installed version is >= v1.0.1 to avoid the historical CVE; 3) inspect package.json for install hooks (none present) and review lib/resumption.js and lib/capacity.js before linking; 4) verify the CLI only accesses ~/.openclaw/agents/main/sessions/ and not other home files; 5) keep backups and limit auto-backup retention as you prefer. Overall this package appears benign and local-only, but installing any executable CLI should be a conscious, reviewed action.Like a lobster shell, security has layers — review code before you run it.
latestvk974e7qr83m002ey652753bq7x823vsq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌊 Clawdis
Any binnode
Config~/.openclaw/agents/main/sessions/
Install
Install tide-watch CLI (requires Node.js 14+, optional for Directives-Only mode)
Bins: tide-watch
npm i -g .