TokenQrusher

The `tokenQrusher` skill bundle is designed to optimize token usage and reduce API costs for OpenClaw agents through context filtering and heartbeat optimization. The analysis of all files, including code and documentation, reveals the following: 1. **Stated Purpose and Security Manifests**: The `SKILL.md`, `README.md`, and individual hook manifests (`hooks/token-context/handler.js`, `hooks/token-heartbeat/handler.js`, `hooks/token-shared/shared.js`, `scripts/cli/main.py`) explicitly state that the skill does not access environment variables, call external network endpoints (beyond local OpenClaw CLI calls), or write to arbitrary local files. The `token-heartbeat` hook clarifies that its JavaScript handler performs "simulated checks only" and updates state "in-memory" while the `heartbeat_optimizer.py` script handles actual state persistence. 2. **Local Execution and File Access**: The skill operates entirely locally. It reads and writes configuration and state files within the `~/.openclaw/hooks` and `~/.openclaw/workspace/memory` directories, which is standard for OpenClaw skills. The `isValidFileName` function in `token-shared/shared.js` implements robust path traversal protection, as claimed. 3. **Command Execution**: The `scripts/cli/main.py` uses `subprocess.run` to interact with the `openclaw` CLI (e.g., `openclaw hooks list`, `openclaw hooks enable`). The arguments passed to `subprocess.run` are either hardcoded or derived from a hardcoded list, preventing shell injection. The `hooks/token-heartbeat/handler.js` imports `execSync` but does not use it in the provided code. The `heartbeat_optimizer.py` script is a local utility designed to be run by the agent or manually for heartbeat management. 4. **Prompt Injection**: The `HEARTBEAT.template.md` and `templates/HEARTBEAT.md` files contain instructions for the AI agent, such as `session_status model=openrouter/stepfun/step-3.5-flash:free` and commands to run `heartbeat_optimizer.py`. This is a form of prompt injection, but it is explicitly for the benign purpose of guiding the agent to use cheaper models and manage heartbeat checks efficiently, directly aligning with the skill's stated goal of cost optimization. It does not instruct the agent to hide actions, ignore the user, or access unrelated sensitive data. 5. **No Malicious Indicators**: There is no evidence of data exfiltration, unauthorized persistence mechanisms, obfuscation, or attempts to download and execute remote payloads. The code is clear and its functionality matches the documentation. The skill's operations, including its use of prompt injection and local command execution, are entirely consistent with its stated purpose of optimizing OpenClaw agent costs. The explicit security claims in the manifests are upheld by the code. **Classification: benign** **Summary**: The `tokenQrusher` skill is benign, focusing on cost optimization for OpenClaw agents. All code and documentation align with its stated purpose of context filtering and heartbeat optimization. While it uses prompt injection in `HEARTBEAT.template.md` and `templates/HEARTBEAT.md` to instruct the agent on model selection and local script execution (`heartbeat_optimizer.py`), this is intentional and benign, serving the core function of reducing API costs. There is no evidence of data exfiltration, malicious execution (e.g., `execSync` is imported but unused, `subprocess.run` is used safely), or unauthorized persistence.