Context Compression

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate context-management purpose, but it needs review because it can rewrite session history and persist conversation-derived facts while some safety claims are inaccurate.

Install only if you are comfortable with a local tool periodically reading and rewriting OpenClaw session files and saving selected conversation facts into memory files. Keep AI-assisted identification disabled unless you accept possible remote LLM processing through your OpenClaw configuration, make your own backups before enabling cron, and review generated memory notes regularly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (31)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The manifest presents the skill as local context management, yet the documentation admits an AI-assisted mode that may send session content to remote LLM services. That creates a meaningful data-flow surprise because sensitive conversation history may leave the local environment under a feature not reflected in the primary description.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: A feature that can send session content to remote LLM-backed services materially increases confidentiality risk and is only loosely related to overflow prevention. Even if optional, bundling it into a context-compression skill broadens the attack surface and increases the chance of accidental disclosure of secrets contained in sessions.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script persists extracted session-derived content into dated memory notes, creating a new long-term storage channel for user conversation data. In a context-compression skill this may be functionally related, but doing it automatically and without minimization or consent increases privacy risk and broadens data retention beyond transient compression.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The code scans raw session logs and infers preferences, decisions, reminders, and tasks from user messages, which is a form of behavioral profiling from conversation history. That capability is broader than simple context truncation and becomes risky because inference is automatic, opaque, and based on raw session data rather than explicit user commands.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script advertises context compression but writes the entire daily note into the summary file, merely wrapping it with metadata. In a system relying on summaries to reduce prompt size or limit retention, this defeats the control and can propagate sensitive or excessive context into later workflows, increasing token usage and unintended data exposure.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The inline documentation claims the script compresses daily notes, but the implementation only copies them into a wrapper file. This mismatch can mislead operators into trusting the skill as a safety or context-management control when it is not, causing inappropriate handling of sensitive data and ineffective overflow prevention.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script sends conversation content to a separate `openclaw agent` for analysis and, on failure, stores pending copies under `/tmp`. That expands data exposure beyond simple local truncation/memory preservation and introduces additional retention and disclosure risk for potentially sensitive session content.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The script invokes a general-purpose agent on conversation data to extract facts, which grants broader processing capability than strictly needed for overflow prevention. In this context, the danger is unnecessary expansion of the trust boundary: raw dialogue is exposed to another agent that may mishandle, over-interpret, or retain sensitive information.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script explicitly extracts conversational content and persists it into a long-term MEMORY.md file, including categories like preferences, decisions, timing, and relationships. In a context-compression skill, retaining distilled state may be expected, but this implementation goes beyond minimal truncation by storing potentially sensitive personal details without clear minimization or user consent controls.

Intent-Code Divergence

Low

Confidence: 88% confidence
Finding: The comments state processing is local and contained within the workspace, but the script creates a temporary file under /tmp, outside that boundary. This discrepancy matters because /tmp is a shared system location and can weaken privacy guarantees, especially on multi-user systems or when temp-file handling is insecure.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: This hook goes beyond context compression and inspects recent raw session transcripts for "important" content, then persists the results in an alert file. That creates an additional surveillance and retention channel for potentially sensitive conversational data that is not clearly disclosed by the skill description, increasing privacy risk and scope creep.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The function searches recent session JSONL files for keywords indicating important content, which is effectively transcript monitoring. In a skill presented as context-compression and memory preservation, this broader access to session content is more dangerous because it can inspect private user conversations without a narrowly bounded need.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script permanently replaces the original session file with a filtered subset, but it does not implement any backup, archive, or separate memory-preservation store despite claiming to preserve memory. In a context-compression skill, this can silently destroy conversation history, user preferences, or audit-relevant context, making the feature materially riskier than advertised.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script explicitly supports an AI-assisted fact-identification mode and comments acknowledge it may send session content to remote LLMs. That creates a real confidentiality risk because session files can contain sensitive user data, and the skill's stated purpose does not imply external transmission of conversation history.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: At the fact-identification call site, the script conditionally switches to an enhanced helper for AI-assisted analysis and pipes truncated session content into it. Even if opt-in, this introduces unnecessary data exposure for a context-compression utility and expands the trust boundary to external services.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Session-derived content is written into persistent notes automatically with no confirmation, preview, or warning to the user. This creates a privacy and consent failure because sensitive statements may be retained indefinitely without the user's awareness.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Conversation content is sent to a sub-agent without any visible user-facing disclosure or consent mechanism. Because the script processes potentially sensitive dialogue during truncation, hidden secondary processing materially increases privacy and trust risks.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script writes extracted facts into persistent `MEMORY.md` without any explicit warning, consent, or retention policy. Since the stored categories include preferences, relationships, and time-based information, users may unknowingly have sensitive personal data retained long-term.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The executable path writes extracted facts into MEMORY.md automatically, with no user-facing warning, confirmation, or runtime transparency. Because the captured facts can include personal or sensitive conversational content, silent persistence creates a meaningful privacy and consent risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script automatically locates and scans the user's latest local session log for specific keywords, but it provides no user-facing notice, consent flow, or clear boundary on what conversation content may be inspected. Because session logs can contain sensitive prompts, personal data, or secrets, silently processing them creates a privacy risk and can expose more data than users expect from a context-compression utility.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The hook automatically creates and modifies files in the user's workspace on session start without any prior notice, consent, or opt-in. Even though the writes are limited to the configured workspace, startup hooks run implicitly, so silent persistence and mutation of user data can violate user expectations and create audit, privacy, and integrity risks.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script reads recent memory entries and exports them into environment variables, which can expose potentially sensitive user data to child processes, plugins, logs, crash reports, or other tooling launched in the same environment. Because this happens automatically at session start and without explicit disclosure, it broadens the data exposure surface beyond the original files.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill overwrites session files in place with no user confirmation, dry-run mode, or safety interlock. Because these are session histories, silent destructive modification can remove evidence, user instructions, or operational context and can be triggered simply by running the tool in its normal mode.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The configuration comments reveal that content may be sent to remote AI services, but there is no visible runtime disclosure or consent mechanism in this script before processing session data. Hidden or non-obvious exfiltration of conversation content is dangerous because users may reasonably expect compression to be local-only.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The script extracts recent user messages from session history and prepares them for later persistence, which can capture sensitive or private data present in ordinary conversation. Because extraction is broad and based on recent raw logs, secrets, personal details, or confidential instructions may be copied outside the original session context.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal