qui-context-optimizer
Security checks across malware telemetry and agentic risk
Overview
This context optimizer is purpose-aligned, but it uses a SkillBoss API key, external npm/model dependencies, and a local conversation archive that users should configure deliberately.
Install only if you are comfortable with SkillBoss API use and local archived conversation memory. Before enabling it broadly, review the npm dependencies, protect SKILLBOSS_API_KEY, configure or disable the archive, and clear archived data that may contain secrets.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill or integrated agent may use the SkillBoss account associated with the API key, including any billing or account limits tied to that key.
The skill expects a provider API key for the stated SkillBoss integration; this is not suspicious by itself, but it grants delegated service access.
LLM calls route through `POST https://api.heybossai.com/v1/pilot` using `SKILLBOSS_API_KEY`.
Use a scoped SkillBoss key if available, keep it in the environment rather than files, and confirm the endpoint and permissions before use.
Installing the skill can pull third-party packages and model files onto the machine.
The skill relies on npm dependency resolution and a model download for embedding-based archive search, which is expected for the stated functionality but still introduces external supply-chain inputs.
# Install dependencies ... npm install ... First run downloads embedding model (~80MB)
Review package.json, consider using a lockfile or pinned versions, and install from a trusted working directory.
Private conversation fragments may persist locally and can be retrieved into later context; stale or adversarial content in the archive could influence future responses.
The default configuration enables a local archive and the code writes archived conversation-derived entries to disk for later search/retrieval.
enableArchive: true, archivePath: './context-archive' ... await fs.writeFile(entryPath, JSON.stringify(entry, null, 2));
Set an explicit archivePath, reduce archiveMaxSize, disable enableArchive when persistence is not needed, and periodically delete archive data containing sensitive material.