Optimizer Openclaw Token
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: oot Version: 1.0.0 The OOT (Token Optimizer) skill bundle is a legitimate utility designed to reduce API costs through context minimization, model routing, and heartbeat optimization. The included Python scripts (context_optimizer.py, model_router.py, heartbeat_optimizer.py, and token_tracker.py) are well-structured, use only standard libraries, and perform local state management within the OpenClaw workspace without any network access or dangerous execution calls like eval() or os.system(). While the documentation (PROVIDERS.md and config-patches.json) references external API providers and placeholder environment variables for keys, these are clearly labeled as informational guides for optional manual configuration. The instructions in SKILL.md and the generated AGENTS.md templates are strictly aligned with the stated purpose of cost reduction and do not contain malicious prompt injections.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the generated AGENTS.md is adopted, the agent may load less memory/documentation and use cheaper models for simple prompts, which can save cost but may reduce context or quality for some tasks.
The generated AGENTS.md content would change future context-loading and model-selection instructions. This is central to the token-saving purpose, but it should be reviewed before becoming persistent agent guidance.
**Stop there.** Don't load anything else unless needed. ... **Simple conversations → HAIKU ONLY**
Review AGENTS.md.optimized before replacing existing workspace instructions, keep a backup, and add exceptions for tasks that require fuller context or stronger models.
Running the heartbeat helper may replace existing heartbeat instructions and affect future monitoring/check behavior.
The wrapper's heartbeat command writes a persistent OpenClaw HEARTBEAT.md file. The action is user-invoked and scoped, but it can overwrite existing heartbeat behavior.
DEST="${HOME}/.openclaw/workspace/HEARTBEAT.md"
cp "$SCRIPT_DIR/../assets/HEARTBEAT.template.md" "$DEST"Inspect the HEARTBEAT template first, back up any existing HEARTBEAT.md, and restore it if the optimized heartbeat is not desired.
If configured, these API keys grant access to paid AI-provider accounts and can incur costs if misused elsewhere.
The skill documents optional provider API keys for multi-provider routing. These credentials are expected for the integration, and the provided scripts do not show key exfiltration.
Store API keys in `~/.openclaw/openclaw.json` or environment variables: export ANTHROPIC_API_KEY="sk-ant-..." export OPENROUTER_API_KEY="sk-or-v1-..."
Use environment variables or a protected config file, avoid pasting keys into chat, rotate keys if exposed, and only configure providers you intend to use.
Following that optional command would run a remote installer on the user's machine.
The RTK companion guide includes a curl-piped-to-shell installer from a remote branch. It is optional and not automatically run by OOT, but it executes external code if followed.
curl -fsSL https://raw.githubusercontent.com/rtk-ai/rtk/refs/heads/master/install.sh | sh
Prefer a package manager where possible, inspect the install script before running it, or pin to a trusted release rather than a moving branch.
Local file-access metadata may remain across sessions, and manual or accidental changes to the state file could skew optimization recommendations.
The context optimizer persists local usage metadata that can influence future context recommendations. The data stays local in the provided code, but it is persistent state.
STATE_FILE = Path.home() / ".openclaw/workspace/memory/context-usage.json"
Keep the OpenClaw memory directory private, delete/reset these JSON state files if needed, and avoid treating generated recommendations as mandatory.