Claw Compactor
Security checks across malware telemetry and agentic risk
Overview
Claw Compactor has a coherent token-compression purpose, but it asks to automatically modify broad workspace content and create injectable persistent memory from active conversations without clear safety bounds.
Review before installing. If you use it, start with non-destructive benchmark or dry-run commands, point it only at a backed-up/test workspace, avoid watch/daemon modes until you understand their effects, and review any Engram memory or system-prompt context before letting an agent reuse it.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill could rewrite many workspace files before the user notices, potentially damaging code, notes, or session data if a compression rule is wrong.
The recommended workflow operates on all workspace files and is framed as a session-start action, but the artifact does not show default dry-run, per-file approval, backup, or exclusion controls.
Automatically compresses all workspace files, tracks token counts between runs, and reports savings. Run this at the start of every session.
Run benchmark or dry-run first, restrict the workspace path, keep version-control/backups, and require confirmation before any bulk rewrite.
A bad rule, unexpected file type, or accidental invocation could repeatedly alter workspace contents and spread corrupted context.
A watch mode that transforms files whenever they change can propagate an erroneous compression decision across many files or sessions.
`auto`: Watch mode - compress on file changes
Avoid watch mode on important repositories until exclusions, backups, and review gates are configured; prefer one-shot dry-run reports.
Private conversation details may be retained and reused, and malicious or mistaken content from a past thread could influence future agent behavior.
Conversation-derived memory is automatically summarized and prepared for high-priority prompt injection, with no clear retention, origin labeling, sanitization, or user-review boundary in the provided instructions.
Engram ... operates as a live engine alongside conversations, automatically compressing messages into structured, priority-annotated knowledge ... Get injectable context string (ready for system prompt)
Use Engram only on selected threads, review generated memory before injecting it, label recalled content as untrusted, and define retention/deletion rules.
If configured, the skill can spend or use the linked LLM provider account and may send conversation content to the configured endpoint.
The skill documents provider API-key use for Engram, while registry metadata declares no required credentials; this appears purpose-aligned but under-declared.
export ANTHROPIC_API_KEY=sk-ant-... # Preferred ... export OPENAI_API_KEY=sk-...
Use a scoped key or local endpoint, keep keys out of shared files, and verify the configured base URL before enabling Engram.
Running the proxy may execute configured worker binaries or scripts with the user's local permissions.
The static scan shows the proxy can spawn a worker process. That can be normal for a local compression proxy, but it is still local code execution if the proxy is run.
const proc = spawn(worker.bin, args, {Review worker configuration before running the proxy and do not expose it to untrusted users or networks.
Users have less registry-level assurance about the upstream source, required runtime, and dependency expectations.
The registry provenance and setup declarations are sparse for a package that includes substantial runnable code.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; 130 code file(s)
Install only from a trusted publisher, inspect the included code and lockfiles, and pin any optional dependencies before use.
Generated decompression or memory text could be over-trusted by the agent if it contains user-supplied instructions.
The compression protocol intentionally creates instruction text for system-prompt placement; this is purpose-aligned, but it can become risky if mixed with untrusted compressed content.
Each level generates a decompression instruction block to prepend to the receiving model's system prompt:
Keep decompression instructions separate from user data and ensure recalled or compressed content cannot override the user's current goal.