ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiered Context Manager

v1.0.0

多Agent协作的智能会话上下文管理系统。当需要管理AI agent的长会话压缩、多层记忆分层、跨Agent知识共享时激活。支持L1/L2/L3分层压缩、实时监控、统计分析。用于OpenClaw agent的上下文管理优化。

0· 50·0 current·0 all-time
by@scorpioxyb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (tiered context compression, cross-agent sharing) align with the included code: modules implement L1/L2/L3 compression, memory tiers, cross-agent publishing, stats and monitoring. However the code assumes and manipulates local workspace/shared directories (many hard-coded absolute Windows paths like "E:\\zhuazhua\\..."), which is not declared in SKILL.md or the skill metadata. Those filesystem assumptions are not intrinsic to the stated high-level purpose and create a risk surface that a user would not expect from the description alone.
!
Instruction Scope
SKILL.md shows running node scripts and calling engine.compact(sessionFile). The scripts actually read arbitrary session files, extract potentially sensitive technical/config information, append/publish that extracted data into shared knowledge files, and can overwrite/migrate/cleanup memory files. The runtime instructions do not warn about these side effects or the default directories used, nor do they limit or filter extracted content — so the agent could read and publish secrets or local config data.
Install Mechanism
There is no install spec (instruction-only), which is lower-risk in terms of fetching remote code. However the package includes many executable scripts that will be run locally. No external downloads are performed, but the code will attempt to require a specific OpenClaw dist file using a hard-coded filename — that behavior can fail or load unexpected runtime code if the environment contains that path/file.
!
Credentials
The skill declares no env vars or credentials, yet the code aggressively reads and writes to local filesystem locations (workspace, shared memory, inbox, reports) and can move/delete files (cleanup/migrate). It also extracts technical items (paths, commands, config) from sessions and writes them to shared knowledge files, which is disproportionate and can lead to exfiltration of sensitive content despite no credentials being requested.
Persistence & Privilege
The skill is not marked always:true and uses the standard plugin register flow (index.js calls api.registerContextEngine). That is expected for a context engine. Still, index.js resolves a specific file inside the installed openclaw package (a particular dist filename), which is unusual and worth reviewing because it loads implementation code by path rather than a documented API. The skill does not explicitly alter other skills' configurations, but its filesystem operations may affect agent state and stored session files.
What to consider before installing
This package implements what it claims (tiered compression and cross-agent sharing) but contains several red flags you should consider before installing or running it: - Hard-coded absolute paths: many scripts use Windows-specific paths (e.g. E:\\zhuazhua\\...) to read/write sessions, inbox, shared memory, stats and reports. If your environment has such paths mounted those files will be read/written; if not the scripts may fail. Ask the author or replace these with configurable paths before use. - Unfiltered extraction & publishing: cross_agent_context extracts 'preferences', 'technical', 'commands', 'paths' from session content and appends them to a shared knowledge file. That can leak secrets, config values, or file paths from sessions to other agents. Do not run against sessions that may contain secrets until you audit and restrict extraction rules and output destinations. - File modification & cleanup: memory_tiering can rewrite file frontmatter, move files to an archive, or delete expired ephemeral files. Back up any workspace before running or run in an isolated sandbox. - Loading OpenClaw runtime by path: index.js uses require.resolve and then requires a specific dist filename (compact.runtime-C0J2-J-T.js). This is brittle and unusual; verify what that file is and prefer documented APIs instead of importing a specific build artifact. - Run in a sandbox first: execute the scripts in a controlled environment with non-sensitive data and override default directories to a temporary location. Search the codebase for all occurrences of absolute paths and for any file-deleting operations. If you intend to use it in production, require the author to make paths configurable and to add filtering/whitelisting of extracted content, and provide documentation about what is written to disk. What would increase confidence: a version that exposes configurable directories (no hard-coded absolute paths), documents and limits what is extracted/published, and uses documented OpenClaw APIs rather than requiring specific dist filenames. If the author provides a config/default.json that clearly maps default storage to a safe sandboxed directory, and demonstrates tests showing no sensitive data is published, the assessment could move toward benign.

Like a lobster shell, security has layers — review code before you run it.

compressionvk97fy0c1nsz3pf8cgzptyp0kjn847kwqcontextvk97fy0c1nsz3pf8cgzptyp0kjn847kwqlatestvk97fy0c1nsz3pf8cgzptyp0kjn847kwqmulti-agentvk97fy0c1nsz3pf8cgzptyp0kjn847kwqopenclawvk97fy0c1nsz3pf8cgzptyp0kjn847kwq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments