ClawHub

https://github.com/ckpxgfnksd-max/prompt-compressor-openclaw

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it also includes an optional hook that can silently rewrite user messages before the model sees them.

Install the SOUL.md snippet only if you want persistent concise responses and compressed memory/log behavior, and back up SOUL.md first. Avoid enabling the hook for legal, medical, security, debugging, policy, or exact-wording tasks because it can rewrite your prompt before the model sees it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README presents the skill as operating via SOUL.md with 'no hooks' or extra components, but later documents a hook that intercepts messages before the model sees them. This inconsistency is security-relevant because it can mislead users about the actual trust boundary and installed capabilities, reducing informed consent around message transformation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
A hook that rewrites user messages before the LLM sees them has broader authority than simple response-style compression and can alter meaning, omit constraints, or distort safety-critical instructions. Because it operates pre-processing on all input, the skill context makes this more dangerous than ordinary output-format guidance: it changes what the model is asked, not just how it answers.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The README claims 'No hooks, no proxy, no extra process, no dependencies' while also advertising a handler.js hook. This contradiction can cause operators to install or trust the skill under false assumptions about persistence and interception behavior, which is a security and transparency issue rather than a mere marketing inconsistency.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata and header claim it works via SOUL.md instructions with no hooks, but the implementation is a message-received hook that rewrites inbound user content before the model sees it. This is a security-relevant deception because it changes the trust boundary and hides that user inputs are being silently transformed, which can alter meaning and weaken downstream safety controls.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest describes compressing the agent's own responses, memory logs, and summaries, but the handler actually mutates user messages in transit. That mismatch is dangerous because reviewers and users may approve the skill under a benign description while it performs a materially different and riskier action on untrusted inbound prompts.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The README instructs users to append content into a persistent SOUL.md file without warning that this modifies ongoing agent behavior across sessions. In this skill context the risk is limited, but persistent instruction changes can outlive the user's immediate intent and affect future conversations in unexpected ways.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented hook silently transforms user input before model processing, yet the README does not warn that user messages will be automatically altered. This undermines user expectations and can lead to hidden prompt mutation, especially risky when users provide precise technical, legal, or safety-relevant wording.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill advertises broad trigger phrases like reducing token costs, optimizing API spend, compressing prompts, or making the agent more efficient, which can match many ordinary user requests. In a skill system with automatic invocation, this can cause the compressor to activate in contexts where preserving nuance, safety wording, or exact phrasing matters, leading to unintended prompt rewriting or degraded safety behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installation instructions modify persistent configuration by appending to SOUL.md, but they do not foreground that this changes future agent behavior across sessions. Persistent prompt-layer modification is security-relevant because it can silently alter future responses, memory formatting, and summarization behavior beyond the immediate task, especially if users do not review the appended content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The hook modifies user messages before model processing with no user-facing notice, consent, or audit trail. Silent prompt rewriting can distort user intent, break expected safety semantics, and make incident investigation difficult because the model no longer sees the original request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to write compressed content into persistent memory files across sessions, but it provides no user-facing disclosure or consent boundary for that behavior. This is risky because users may not realize that their information is being reformatted and stored persistently, which can create privacy, retention, and transparency issues even if the goal is token savings.

Natural-Language Policy Violations

Low
Confidence
82% confidence
Finding
The skill imposes a mandatory response style for every response, including bans on greetings, hedging, and certain phrasings, without any user opt-in or exception for user preferences. This is less severe than a direct security flaw, but it can override user language or accessibility preferences and cause the agent to behave in ways the user did not request.

Ssd 2

Medium
Confidence
95% confidence
Finding
Because the hook runs before the LLM sees the message, it can strip hedging and politeness from potentially unsafe requests, producing a sharper and more direct instruction. This can increase jailbreak success or bypass heuristics that rely on the original phrasing and context of the user's request.

Ssd 2

Medium
Confidence
96% confidence
Finding
The phrase-deletion rules specifically remove request softeners like 'could you,' 'please,' and 'I was wondering if,' which can convert indirect or paraphrased harmful requests into clearer imperative prompts. In a security-sensitive pipeline, this increases the chance that downstream models interpret malicious intent more strongly or that defenses are evaluated on altered text instead of the original input.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: prompt-compressor
description: Saves 20-40% of LLM tokens by teaching the agent to write compressed responses, compressed memory logs, and compressed pre-compaction summaries. Works via SOUL.md instructions — no hooks, no extra process, no dependencies. Also provides explicit compression when the user asks to compress a prompt. Use when the user asks about reducing token costs, optimizing API spend, compressing prompts, or making the agent more efficient.
version: 1.0.0
metadata: {"openclaw":{"emoji":"🗜️","homepage":"https://github.com/ckpxgfnksd-max/prompt-compressor-openclaw"}}
---
Confidence
90% confidence
Finding
write compressed responses, compressed memory logs, and compressed pre-compaction summaries. Works via SOUL.md instructions — no hooks, no extra process, no dependencies. Also provides explicit compre

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal