StartClaw-Optimizer
v1.0.2Master optimization system - APPLIES TO EVERY RESPONSE. Before responding, classify task complexity (simple question vs analysis vs coding). Use Haiku for simple/navigation/extraction/status. Use Sonnet ONLY for writing/analysis/planning/debugging. Monitor context size - if >50k tokens, recommend /compact. For automations, use scheduler wrapper. Never load full conversation history for simple tasks. Heartbeats always Haiku, single-line only. Never use Opus. This skill MUST run before every response to prevent 100k+ token bloat.
⭐ 1· 2.4k·5 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description claim ("MUST run before every response / APPLIES TO EVERY RESPONSE") is not reflected in the registry flags (always:false). The SKILL.md and README claim it will route traffic to Haiku/Sonnet/Opus models and reduce cost, but the package does not declare or require any model credentials or cloud provider access. The included code implements routing, scheduling, browser-governor and compaction utilities which are consistent with an optimizer, but the strong claim that it must run on every response is out of proportion with the registry metadata and the absence of an 'always' flag.
Instruction Scope
SKILL.md instructs agents to install and require @startclaw/openclaw-optimizer and says the skill should run before every response and use particular poetic models for outputs. The runtime instructions do not request reading secrets or system-level files, but the dashboard script reads a config path (~/.clawdbot/optimizer/config.json) and the compactor logs sessionKey and token counts. The top-level imperative (run before every reply) is broad and conflicts with the skill metadata; that open-ended instruction could lead to overly-broad agent usage if followed.
Install Mechanism
No install spec is provided in the registry entry, but SKILL.md shows an npm install command. The skill bundle included source files and a package.json, so installation risk is low (no external arbitrary download URLs). However package.json does not list dependencies (the code requires 'tiktoken'), indicating sloppy packaging and a missing dependency declaration which may cause runtime surprises or hidden install steps if a consumer tries to install from npm instead of using the provided bundle.
Credentials
The skill declares no required environment variables or credentials, and the code contains no network endpoints or explicit credential-handling. That is consistent with the included placeholder summarization (summarizeWithHaiku does not actually call an external API). However there is an implicit expectation of model invocation (anthropic model names are present) that in a real deployment would require API keys; the skill does not request or justify any credentials. Also the dashboard reads a config path under the user's home, which could contain sensitive data in some setups—this access is not declared in requires.config and should be considered.
Persistence & Privilege
Registry flags do not grant permanent/autonomous inclusion (always:false) and disable-model-invocation remains false (normal). The skill does not modify other skills or system configuration in the provided code. It logs compaction events (sessionKey, token counts) and reads an optional config file for the dashboard. The mismatch between the description's insistence on running before every response and the registry flags is notable but does not on its own demonstrate elevated privilege.
What to consider before installing
This package looks like a legitimate optimizer library, but several inconsistencies and sloppy packaging elements mean you should be cautious: 1) The description insists it must run before every response, but the registry flags do not enforce that — decide deliberately whether you want it auto-invoked. 2) The code references model names (Haiku/Sonnet/Opus) but requests no API keys; verify how your agent would supply model credentials before trusting automatic routing. 3) package.json omits dependencies (the code requires 'tiktoken'); prefer installing from a vetted source or run the bundled code in a sandbox to inspect runtime behavior. 4) The dashboard reads ~/.clawdbot/optimizer/config.json and compaction logs sessionKey and token counts — check that file for sensitive info and consider logging redaction. 5) Because the package owner and homepage are unknown, verify the npm package integrity (if you plan to npm install) and review the code locally. If you want to proceed, audit/modify the SKILL.md to remove the hard "MUST run before every response" instruction (or set always:true intentionally) and add explicit dependency and credential guidance. If you are not able to review or sandbox it, do not install it into production or grant it autonomous execution.Like a lobster shell, security has layers — review code before you run it.
latestvk97dk78pxbr7jwyy58vaqvgw2180f52k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.