Security audit

Context Compactor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real context-compaction tool, but it needs Review because it can run background services that read and store OpenClaw workspace memory and manage local processes.

Install only if you want a local background context-management service, not just a passive prompt helper. Review the scripts first, avoid auto-start or cron until you are comfortable with the data retained, back up context_compactor.db before cleanup commands, restrict access to the localhost API, and remove or replace the external notification example before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (38)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "--auto" ] result = subprocess.run( compactor_args, capture_output=True, text=True,
Confidence: 95% confidence
Finding: result = subprocess.run( compactor_args, capture_output=True, text=True, encoding="utf-8", cwd=self.script_d

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if os.path.exists(monitor_script) and os.access(monitor_script, os.X_OK): # 使用启动脚本 result = subprocess.run( [monitor_script], capture_output=True, text=True,
Confidence: 96% confidence
Finding: result = subprocess.run( [monitor_script], capture_output=True, text=True, encoding="utf-8",

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return False else: # 直接运行Python脚本 result = subprocess.run( [sys.executable, self.components["monitor"]], capture_output=True, text=True,
Confidence: 89% confidence
Finding: result = subprocess.run( [sys.executable, self.components["monitor"]], capture_output=True, text=True, e

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises and documents shell execution, file access, and persistent state management, but the metadata shown here does not declare corresponding permissions. That creates a capability-transparency gap: operators may invoke a skill believing it is limited to context summarization when it can also read/write local data and launch scripts, increasing the chance of unintended filesystem access or command execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior goes well beyond passive context compaction: it describes monitoring local memory files, reading AGENTS.md and workspace data, exposing an HTTP API, spawning background services, and persisting data to SQLite and logs. This mismatch is dangerous because users may authorize a seemingly narrow optimization skill while actually granting a broader local automation and data-handling service with additional attack surface and persistence.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The guide adds an unrelated iMessage notification capability that sends operational details to an external recipient. This expands the skill's scope beyond context compaction and can leak usage/state information without any warning, consent flow, or data-minimization guidance.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The test report for a context-compression skill includes unrelated iMessage/channel filtering data and a specific phone number, which indicates scope creep into messaging/routing behavior outside the declared purpose. Even in documentation, mixing unrelated communication-channel controls with memory compaction increases the chance that the skill is granted or normalized with access to external messaging contexts it does not need, creating unnecessary privacy and security exposure.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The component initializes and uses a persistent local SQLite database to store full `content` fields for context items, which means conversation data is retained beyond transient compaction. For a context-compaction skill, this creates an avoidable confidentiality and data-retention risk if sensitive prompts, secrets, or personal data are written to disk and later accessed by other local users, tools, or backups.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The skill reads ~/.openclaw/workspace/memory and AGENTS.md to collect session data, which may contain unrelated, sensitive workspace content. In the context of a compaction skill, this is particularly dangerous because it silently broadens access beyond the immediate task and can expose private instructions, memories, or user data to later processing and persistence.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill launches monitoring scripts and shell entrypoints even though its stated purpose is context compaction. That mismatch increases danger because users may grant access expecting text processing, while the skill actually performs process execution with side effects and a larger attack surface.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill performs compaction by spawning a separate hierarchical_compactor process instead of handling the logic internally. In a security-sensitive agent environment, this increases risk because it delegates trusted behavior to another file on disk whose implementation and integrity are not enforced here, enabling stealthy execution of arbitrary code under the guise of compaction.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The monitor reads conversation data directly from a hard-coded ~/.openclaw/workspace/memory directory, coupling this skill to another application's local data without any explicit consent, boundary check, or configuration gate. Because this skill's stated role is context compaction, silently ingesting external session memory broadens data access and can expose sensitive conversation history.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The generated API exposes runtime configuration updates via POST /api/config with no authentication or validation. Although bound to localhost, any local process can modify compactor behavior, which can weaken safeguards, alter retention/compression policy, or induce unsafe operation if the compactor trusts configuration fields too broadly.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script enumerates Python processes by a broad name pattern and then terminates all matches, which can kill unrelated local workloads that merely contain monitor, integration, or hierarchical_compactor in their command line. In the context of a context-compaction skill, this exceeds the minimally necessary scope and creates an unsafe local denial-of-service capability if the script is run with sufficient privileges.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: This code provides bulk local process-kill functionality using TERM and KILL against pattern-matched Python processes, which is powerful operational behavior not strictly required for context compression. If executed by a privileged user, it can forcibly terminate unrelated services and cause service interruption, data loss, or corruption, making it a real safety and security issue.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The deployment guide describes archival, cleanup, and compaction of conversation history without clearly warning that these actions can alter, delete, or irreversibly summarize user data. In a context-management skill, that omission is meaningful because operators may enable the feature assuming it is lossless, leading to accidental data loss or degraded auditability.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document recommends automatic background triggers that periodically inspect and process conversation content, but it does not disclose privacy, retention, or fidelity implications. Because this skill operates on user dialogue, silent background processing increases the risk of unintended handling of sensitive information and unnoticed degradation of important context.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide instructs users to run automated log deletion commands without any warning about data loss or guidance on retention/backup. While deleting old logs is a common maintenance task, presenting destructive commands in installation steps can cause unintended loss of audit and troubleshooting evidence.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The troubleshooting step tells users to remove the SQLite database file and reinitialize it, which will erase all stored context/history. In a context-management skill, that data may be important for continuity, debugging, or compliance, so omitting a warning materially increases the risk of accidental destructive action.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The fault-recovery examples include process killing, restart actions, and database backup/recovery operations that modify local state, but they are presented without warnings about service interruption, stale PID matching, or possible data loss/corruption. Users may run them verbatim in production and unintentionally disrupt the environment.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation recommends storing compressed summaries into shared memory for use by other agents without discussing confidentiality boundaries or retention risks. Since context compaction may include sensitive conversation content, sharing it broadly can expose private data to unrelated components.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The alerting example sends token-usage information to an external phone number but does not warn that this creates outbound communications and may disclose system telemetry. Including a real-looking recipient increases the chance of accidental transmission and normalizes unsafe copy-paste behavior.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README instructs users to delete the SQLite database file as part of recovery, but does not explicitly warn that this permanently removes all stored compaction history and tiered data. In an operations-oriented skill that manages session history and long-term context, this omission raises the likelihood of accidental destructive use and data loss during troubleshooting.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The activation guidance uses very broad phrases such as 'long conversation', 'optimize memory', and 'reduce token usage', which are likely to occur in ordinary discussion. That increases the risk of accidental invocation of a skill that can alter history, run scripts, and start services, potentially causing unintended context modification or local side effects without clear user intent.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The documentation promotes automatic compression and cleanup of conversation history without warning that summarization or deletion can lose nuance, overwrite important context, or alter future agent behavior. In this skill's context, that is especially dangerous because the system appears to trigger automatically and persist results, so mistakes can silently propagate across sessions and reports.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: DEPLOYMENT.md:279