๐ฆ Shrink โ Three-Tier Multimodal Context Optimizer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Shrink appears purpose-aligned and disclosed, but it legitimately uses Anthropic credentials, sends session images/context to Anthropic, and rewrites OpenClaw session history, so users should review the scope before running it.
Before installing, make sure you are comfortable with the skill reading OpenClaw session files and Anthropic credentials, sending selected images and context to Anthropic, and modifying session history. Use dry-run first, keep backups enabled, avoid all-sessions unless intended, and verify generated descriptions for important or sensitive images.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may spend or use Anthropic account credentials already stored for an OpenClaw agent.
The skill can use local Anthropic credentials from OpenClaw auth profiles, not only an explicit environment variable. This is disclosed and purpose-aligned for the vision API, but it is still sensitive account access.
If not set, the script reads keys from ~/.openclaw/agents/<agentId>/agent/auth-profiles.json
Prefer a dedicated Anthropic API key with limited intended use, confirm the target agent, and review/rotate stored credentials if you are uncomfortable with this access.
Private screenshots or conversation details may be shared with Anthropic, and future agent behavior may rely on the generated replacement descriptions.
The skill sends potentially private session images and nearby conversation text to an external model, then stores generated descriptions back into the persistent session history.
Images and surrounding conversation context (up to 10 preceding messages) are sent to the Anthropic vision API for description generation.
Use dry-run first, avoid processing highly sensitive images unless acceptable, consider the --redact option, and keep backups until you verify the generated descriptions.
Running live shrink changes what agents will later see in their session history.
The skill has file-mutation authority over OpenClaw session history. The behavior is disclosed, scoped to the stated purpose, and mitigated by backups and dry-run/confirmation flow.
writes modified JSONL files (replaces image blocks with text) ... creates .bak backup files before writing
Review dry-run output, keep backups enabled, and use --all-sessions only when you intentionally want broader changes.
Choosing Apply Now can briefly interrupt all agents.
The optional apply step restarts the gateway and affects all agents, not only the shrunk session. The artifact explicitly says this is user-initiated and must be warned about.
Apply Now โ run `openclaw gateway restart` (~5 sec downtime, all agents reload clean)
Only use Apply Now when a short all-agent reload is acceptable; otherwise choose Apply Later.
A user might overtrust generated descriptions and rely on them instead of verifying important visual details.
The documentation strongly claims lossless preservation even though replacing images with model-generated descriptions can miss or misstate details. Backups reduce the risk, but users should not treat the descriptions as guaranteed perfect.
96-99% token reduction. Zero information loss.
Keep .bak files, inspect important outputs, and retain original images/session backups when accuracy matters.
It is harder to independently verify the publisher or compare the installed files to an upstream release.
The registry metadata does not provide a verified source or homepage, although the supplied artifacts include the local script and no remote install mechanism.
Source: unknown; Homepage: none
Install only if you trust the ClawHub package and publisher; if needed, compare the package contents with the project links in the README.