Oktk
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for compressing command output, but it wraps shell commands and stores local cache/analytics, so users should enable it deliberately.
This appears safe for its stated purpose if you treat it as a command wrapper. Install/use it only if you are comfortable with it executing commands you pass to it and storing local cache/statistics under ~/.oktk. Avoid using it on secrets or highly sensitive outputs, use --raw when details matter, and only enable shell aliases if you want persistent auto-filtering.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using oktk as a wrapper can run real terminal commands, not just compress already-produced output.
The CLI can execute a command string through the shell before filtering its output. This matches the wrapper purpose, but shell execution is high-impact if the agent or user passes unsafe commands.
const stdout = execSync(command, {Use it only with commands you intentionally want to run; prefer explicit pipe mode for sensitive commands and review destructive commands before execution.
Some command output may be retained locally after the command finishes.
Filtered results are cached locally under the user's home directory. This supports the stated performance/cost-saving purpose, but command output may remain on disk for the cache TTL.
this.cacheDir = options.cacheDir || process.env.OKTK_CACHE_DIR || path.join(process.env.HOME, '.oktk', 'cache');
Avoid filtering highly sensitive output, set OKTK_CACHE_TTL appropriately, or clear/disable the cache when needed.
Local analytics files may reveal recent command names, file paths, URLs, or project activity even with basic secret redaction.
The analytics module records local savings logs and sanitized command names. This is purpose-aligned for reporting savings, but it creates a local command history.
this.logFile = options.logFile || process.env.OKTK_LOG_FILE || path.join(process.env.HOME, '.oktk', 'savings.log');
Disable tracking with configuration if command history is sensitive, and periodically remove ~/.oktk logs if desired.
Future sessions may use compressed command output through aliases unless the shell startup line is removed.
The skill suggests adding aliases to shell startup files for automatic filtering. This is user-directed and disclosed, but it changes future shell behavior.
source ~/.openclaw/workspace/skills/oktk/scripts/oktk-aliases.sh
Only source the alias file if you want persistent auto-filtering; keep the --raw bypass available and remove the shellrc line to disable.
The skill may not work unless Node is present, and automated installers may not validate that requirement.
The registry metadata under-declares runtime needs compared with SKILL.md's Node requirement and package.json's CLI bin. This is an install/provenance clarity issue, not evidence of malicious behavior.
Required binaries (all must exist): none
Confirm Node.js is installed and review the repository/source before relying on the global CLI.