Back to skill

Security audit

Token Optimization

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only OpenClaw cost-optimization guide with disclosed, user-directed configuration changes, but users should back up workspace files before applying them.

Before following the guide, inspect and back up BOOTSTRAP.md, AGENTS.md, MEMORY.md, and openclaw.json. Only apply the cache, pruning, and heartbeat settings if you are comfortable changing future agent behavior and possible background activity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill explicitly instructs users to rename or effectively remove BOOTSTRAP.md because it 'loads every turn for zero value,' but it does not warn that the file may contain initialization or startup behavior required by a specific deployment. In a configuration-optimization skill, encouraging deletion of a startup-related file without verification steps can cause loss of important agent behavior, misconfiguration, or degraded safety controls.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.