ClawHub

Compaction UI Enhancements

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide the advertised OpenClaw chat compaction UI, with disclosed privacy and session-state tradeoffs users should understand.

Install only if you want OpenClaw to compact chat context automatically when token usage is high. Review the Compaction settings after installation, disable auto-compaction if you want manual control, leave result storage off unless you need saved summaries, and remember that compaction can send conversation-derived content through your configured chat model/auth provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This change materially expands compaction from deterministic local transcript trimming into an LLM-driven operation with model selection, workspace context, and injected instructions. That creates a new trust boundary: session compaction now processes attacker-influenced prompt content and potentially broader local context, enabling prompt-injection, unintended data access, or unsafe side effects beyond the skill’s stated UI/background compaction purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The RPC forwards caller-controlled instructions directly into the compaction engine, turning a maintenance endpoint into a general prompt-injection surface. Any caller able to hit this RPC can steer the summarizer to retain, omit, reinterpret, or exfiltrate sensitive content, and potentially induce broader behavior if the compaction engine has access to tools or local context.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Supplying a workspace directory from config or environment to the LLM compaction engine broadens available context beyond the session transcript and is not necessary for ordinary memory compaction. In the presence of hostile transcript content or custom instructions, this can increase the blast radius to local project data or user files, especially if the engine can inspect files or derive summaries from workspace state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes automatic background compaction and optional result storage, but does not clearly warn users that conversation-derived content may be persisted locally and triggered automatically after chat activity. In a memory-management feature, this increases the chance that sensitive chat content is summarized and retained without users fully understanding when it happens or what data is stored.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly stores compaction summaries in a local config file and even includes an example showing raw summary text persisted on disk, but it provides no explicit privacy or data-handling warning. Because summaries condense entire conversations, the stored file may contain secrets, personal data, or proprietary content that users may not expect to remain accessible after compaction.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal