Back to skill

Security audit

Context Compactor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real context-compaction tool, but it needs Review because it can run background services that read and store OpenClaw workspace memory and manage local processes.

Install only if you want a local background context-management service, not just a passive prompt helper. Review the scripts first, avoid auto-start or cron until you are comfortable with the data retained, back up context_compactor.db before cleanup commands, restrict access to the localhost API, and remove or replace the external notification example before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (38)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--auto"
            ]
            
            result = subprocess.run(
                compactor_args,
                capture_output=True,
                text=True,
Confidence
95% confidence
Finding
result = subprocess.run( compactor_args, capture_output=True, text=True, encoding="utf-8", cwd=self.script_d

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if os.path.exists(monitor_script) and os.access(monitor_script, os.X_OK):
                # 使用启动脚本
                result = subprocess.run(
                    [monitor_script],
                    capture_output=True,
                    text=True,
Confidence
96% confidence
Finding
result = subprocess.run( [monitor_script], capture_output=True, text=True, encoding="utf-8",

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return False
            else:
                # 直接运行Python脚本
                result = subprocess.run(
                    [sys.executable, self.components["monitor"]],
                    capture_output=True,
                    text=True,
Confidence
89% confidence
Finding
result = subprocess.run( [sys.executable, self.components["monitor"]], capture_output=True, text=True, e

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and documents shell execution, file access, and persistent state management, but the metadata shown here does not declare corresponding permissions. That creates a capability-transparency gap: operators may invoke a skill believing it is limited to context summarization when it can also read/write local data and launch scripts, increasing the chance of unintended filesystem access or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes well beyond passive context compaction: it describes monitoring local memory files, reading AGENTS.md and workspace data, exposing an HTTP API, spawning background services, and persisting data to SQLite and logs. This mismatch is dangerous because users may authorize a seemingly narrow optimization skill while actually granting a broader local automation and data-handling service with additional attack surface and persistence.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The guide adds an unrelated iMessage notification capability that sends operational details to an external recipient. This expands the skill's scope beyond context compaction and can leak usage/state information without any warning, consent flow, or data-minimization guidance.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The test report for a context-compression skill includes unrelated iMessage/channel filtering data and a specific phone number, which indicates scope creep into messaging/routing behavior outside the declared purpose. Even in documentation, mixing unrelated communication-channel controls with memory compaction increases the chance that the skill is granted or normalized with access to external messaging contexts it does not need, creating unnecessary privacy and security exposure.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The component initializes and uses a persistent local SQLite database to store full `content` fields for context items, which means conversation data is retained beyond transient compaction. For a context-compaction skill, this creates an avoidable confidentiality and data-retention risk if sensitive prompts, secrets, or personal data are written to disk and later accessed by other local users, tools, or backups.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The skill reads ~/.openclaw/workspace/memory and AGENTS.md to collect session data, which may contain unrelated, sensitive workspace content. In the context of a compaction skill, this is particularly dangerous because it silently broadens access beyond the immediate task and can expose private instructions, memories, or user data to later processing and persistence.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill launches monitoring scripts and shell entrypoints even though its stated purpose is context compaction. That mismatch increases danger because users may grant access expecting text processing, while the skill actually performs process execution with side effects and a larger attack surface.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill performs compaction by spawning a separate hierarchical_compactor process instead of handling the logic internally. In a security-sensitive agent environment, this increases risk because it delegates trusted behavior to another file on disk whose implementation and integrity are not enforced here, enabling stealthy execution of arbitrary code under the guise of compaction.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The monitor reads conversation data directly from a hard-coded ~/.openclaw/workspace/memory directory, coupling this skill to another application's local data without any explicit consent, boundary check, or configuration gate. Because this skill's stated role is context compaction, silently ingesting external session memory broadens data access and can expose sensitive conversation history.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The generated API exposes runtime configuration updates via POST /api/config with no authentication or validation. Although bound to localhost, any local process can modify compactor behavior, which can weaken safeguards, alter retention/compression policy, or induce unsafe operation if the compactor trusts configuration fields too broadly.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script enumerates Python processes by a broad name pattern and then terminates all matches, which can kill unrelated local workloads that merely contain monitor, integration, or hierarchical_compactor in their command line. In the context of a context-compaction skill, this exceeds the minimally necessary scope and creates an unsafe local denial-of-service capability if the script is run with sufficient privileges.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
This code provides bulk local process-kill functionality using TERM and KILL against pattern-matched Python processes, which is powerful operational behavior not strictly required for context compression. If executed by a privileged user, it can forcibly terminate unrelated services and cause service interruption, data loss, or corruption, making it a real safety and security issue.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The deployment guide describes archival, cleanup, and compaction of conversation history without clearly warning that these actions can alter, delete, or irreversibly summarize user data. In a context-management skill, that omission is meaningful because operators may enable the feature assuming it is lossless, leading to accidental data loss or degraded auditability.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document recommends automatic background triggers that periodically inspect and process conversation content, but it does not disclose privacy, retention, or fidelity implications. Because this skill operates on user dialogue, silent background processing increases the risk of unintended handling of sensitive information and unnoticed degradation of important context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to run automated log deletion commands without any warning about data loss or guidance on retention/backup. While deleting old logs is a common maintenance task, presenting destructive commands in installation steps can cause unintended loss of audit and troubleshooting evidence.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The troubleshooting step tells users to remove the SQLite database file and reinitialize it, which will erase all stored context/history. In a context-management skill, that data may be important for continuity, debugging, or compliance, so omitting a warning materially increases the risk of accidental destructive action.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The fault-recovery examples include process killing, restart actions, and database backup/recovery operations that modify local state, but they are presented without warnings about service interruption, stale PID matching, or possible data loss/corruption. Users may run them verbatim in production and unintentionally disrupt the environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation recommends storing compressed summaries into shared memory for use by other agents without discussing confidentiality boundaries or retention risks. Since context compaction may include sensitive conversation content, sharing it broadly can expose private data to unrelated components.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The alerting example sends token-usage information to an external phone number but does not warn that this creates outbound communications and may disclose system telemetry. Including a real-looking recipient increases the chance of accidental transmission and normalizes unsafe copy-paste behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to delete the SQLite database file as part of recovery, but does not explicitly warn that this permanently removes all stored compaction history and tiered data. In an operations-oriented skill that manages session history and long-term context, this omission raises the likelihood of accidental destructive use and data loss during troubleshooting.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation guidance uses very broad phrases such as 'long conversation', 'optimize memory', and 'reduce token usage', which are likely to occur in ordinary discussion. That increases the risk of accidental invocation of a skill that can alter history, run scripts, and start services, potentially causing unintended context modification or local side effects without clear user intent.

Missing User Warnings

High
Confidence
95% confidence
Finding
The documentation promotes automatic compression and cleanup of conversation history without warning that summarization or deletion can lose nuance, overwrite important context, or alter future agent behavior. In this skill's context, that is especially dangerous because the system appears to trigger automatically and persist results, so mistakes can silently propagate across sessions and reports.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
DEPLOYMENT.md:279