Token Optimization
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is coherent with token-cost optimization, but it asks users to make persistent OpenClaw configuration and workspace changes that should be reviewed and backed up first.
Before installing or applying this skill, back up your OpenClaw configuration and workspace markdown files, review the cache/pruning/heartbeat settings, and avoid keeping secrets or sensitive data in files that are loaded or cached every turn.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Applying the guide may alter what the agent loads, remembers, prunes, or runs on future turns.
The skill instructs the user to modify persistent OpenClaw configuration/workspace files and restart the gateway. This is purpose-aligned, but it can change agent behavior if applied incorrectly.
Prerequisites ... Access to edit `openclaw.json` ... mv ~/.openclaw/workspace/BOOTSTRAP.md ~/.openclaw/workspace/BOOTSTRAP.md.bak ... openclaw gateway restart
Back up `openclaw.json` and workspace markdown files before editing, apply changes manually, and verify behavior with `session_status` after restart.
Sensitive content included in prompts or retained tool outputs could remain available in context/cache longer than expected.
The recommended caching and pruning settings can retain or reuse prompt context, command output, file contents, or browser snapshots. This is central to the optimization goal, but users should consider sensitive context exposure and retention.
`cacheRetention`: `long` ... `contextPruning` ... `allow`: ["exec", "read", "browser"]
Avoid placing secrets or sensitive documents in always-loaded workspace files, and adjust cache retention or tool-output retention if privacy is more important than token savings.
The agent may keep running periodic heartbeat activity after setup, which can affect cost, logs, or operational expectations.
The skill suggests an optional recurring heartbeat configuration to maintain cache warmth. It is disclosed and purpose-aligned, but it creates ongoing scheduled agent activity.
Pair `cacheRetention: "long"` with heartbeat at ~55 min intervals to keep cache permanently warm
Only enable heartbeat keep-warm settings if you want ongoing background activity, and choose a model/frequency that matches your cost and privacy preferences.