Optimizer Openclaw Token
PassAudited by ClawScan on May 6, 2026.
Overview
This appears to be a coherent token-cost optimization skill, with user-directed local scripts and no artifact-backed exfiltration or hidden execution, but users should review the persistent OpenClaw changes, optional API-key guidance, and optional RTK installer instructions.
This skill looks reasonable for reducing token/API costs. Before using it, review any generated AGENTS.md and HEARTBEAT.md changes, back up existing OpenClaw workspace files, protect any provider API keys, and avoid the optional RTK curl-to-shell installer unless you have inspected and trust it. Some repository files were truncated or omitted from the supplied artifacts, so review those files directly before relying on the skill's security claims.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the generated AGENTS.md is adopted, the agent may load less memory/documentation and use cheaper models for simple prompts, which can save cost but may reduce context or quality for some tasks.
The generated AGENTS.md content would change future context-loading and model-selection instructions. This is central to the token-saving purpose, but it should be reviewed before becoming persistent agent guidance.
**Stop there.** Don't load anything else unless needed. ... **Simple conversations → HAIKU ONLY**
Review AGENTS.md.optimized before replacing existing workspace instructions, keep a backup, and add exceptions for tasks that require fuller context or stronger models.
Running the heartbeat helper may replace existing heartbeat instructions and affect future monitoring/check behavior.
The wrapper's heartbeat command writes a persistent OpenClaw HEARTBEAT.md file. The action is user-invoked and scoped, but it can overwrite existing heartbeat behavior.
DEST="${HOME}/.openclaw/workspace/HEARTBEAT.md"
cp "$SCRIPT_DIR/../assets/HEARTBEAT.template.md" "$DEST"Inspect the HEARTBEAT template first, back up any existing HEARTBEAT.md, and restore it if the optimized heartbeat is not desired.
If configured, these API keys grant access to paid AI-provider accounts and can incur costs if misused elsewhere.
The skill documents optional provider API keys for multi-provider routing. These credentials are expected for the integration, and the provided scripts do not show key exfiltration.
Store API keys in `~/.openclaw/openclaw.json` or environment variables: export ANTHROPIC_API_KEY="sk-ant-..." export OPENROUTER_API_KEY="sk-or-v1-..."
Use environment variables or a protected config file, avoid pasting keys into chat, rotate keys if exposed, and only configure providers you intend to use.
Following that optional command would run a remote installer on the user's machine.
The RTK companion guide includes a curl-piped-to-shell installer from a remote branch. It is optional and not automatically run by OOT, but it executes external code if followed.
curl -fsSL https://raw.githubusercontent.com/rtk-ai/rtk/refs/heads/master/install.sh | sh
Prefer a package manager where possible, inspect the install script before running it, or pin to a trusted release rather than a moving branch.
Local file-access metadata may remain across sessions, and manual or accidental changes to the state file could skew optimization recommendations.
The context optimizer persists local usage metadata that can influence future context recommendations. The data stays local in the provided code, but it is persistent state.
STATE_FILE = Path.home() / ".openclaw/workspace/memory/context-usage.json"
Keep the OpenClaw memory directory private, delete/reset these JSON state files if needed, and avoid treating generated recommendations as mandatory.