Security audit

Optimizer Openclaw Token

Security checks across malware telemetry and agentic risk

Overview

This cost-optimization skill is not clearly malicious, but it can change ongoing agent behavior and overwrite local OpenClaw workspace files in ways users should review first.

Install only if you intentionally want OOT to influence model selection, heartbeat behavior, and local OpenClaw workspace files. Review generated AGENTS.md and HEARTBEAT.md content before adopting it, back up any existing HEARTBEAT.md, avoid the RTK curl-to-shell installer unless you verify it separately, and do not rely on token_tracker.py as real budget enforcement without additional integration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script inspects multiple provider API-key environment variables to infer which backend to use. Although it does not exfiltrate the secrets, reading secret-bearing environment variables is still an unnecessary sensitive-data access for a component described as local-only routing logic, and it expands the script's access to credentials that are unrelated to pure prompt classification.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The heartbeat command copies a template into a fixed path under the user's home directory, which is a real filesystem modification despite the surrounding skill metadata claiming the executable scripts make no system modifications. That mismatch is security-relevant because users may invoke the script with a weaker trust model than warranted, and the write occurs without validating the destination or obtaining consent.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script includes an installation-style action that writes into the user's home workspace, expanding its effect beyond mere local analysis or recommendation logic. In context, this is more dangerous because the skill description emphasizes local-only optimization tooling with no system modifications, so the write behavior violates user expectations and can clobber configuration or workflow files.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The help text says 'Install optimized heartbeat' but does not disclose that the command overwrites a specific fixed file in the user's workspace. While this is primarily a transparency and safety issue rather than code execution, understated destructive behavior can lead users to unintentionally lose existing content.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The function that is supposed to obtain token usage returns hardcoded zero values, so the tool gives users a false sense of budget visibility and may suppress needed cost controls. In the context of a cost-optimization skill, this mismatch is more dangerous because operators may rely on it to manage spend at scale and fail to notice real usage or overruns.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The top-level docstring states that the script monitors API usage and warns on limits, but the implementation does not actually monitor anything and instead depends on placeholder data. Misleading operational/security claims are risky because they can cause users to trust nonexistent safeguards, especially in a skill explicitly marketed for budget tracking and token reduction.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README instructs users to execute a remotely fetched installer script directly with `sh` and does not place a clear warning nearby about the trust and supply-chain risks. This is dangerous because any compromise of the source repository, branch, CDN path, or transport chain could result in arbitrary code execution on the user's machine at install time.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The template hard-codes a model override and states it should ALWAYS run on a specific provider/model, removing user or operator choice. Even though this appears cost-motivated rather than malicious, it can silently route potentially sensitive heartbeat content to a model/provider the user did not explicitly approve, creating policy, privacy, governance, and reliability risks.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation recommends a quick-install command that downloads a remote script and immediately executes it with the shell. This is dangerous because users cannot inspect the script before execution, and any compromise of the upstream repository, branch, distribution path, or transport trust chain could lead to arbitrary code execution on the local machine.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The cp operation overwrites the target file in the user's home directory without checking whether it already exists or asking for confirmation. In this skill context, that is a genuine safety flaw because the tool is positioned as an optimization helper, not as an installer that mutates workspace state, so users may not anticipate destructive replacement of HEARTBEAT.md.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.