ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Context Budgeting Pro

Manage and optimize OpenClaw context window usage via partitioning, pre-compression checkpointing, and information lifecycle management. Use when the session...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 163 · 0 current installs · 0 all-time installs
by@MKGNBEAR
fork of @SarielWang93/context-budgeting
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to manage context but the distributed artifacts reveal mismatches: the provided script invokes an 'openclaw' CLI and references a hard-coded workspace (/Users/yang/clawd), yet the registry metadata declares no required binaries or config paths. A context-budgeting tool plausibly needs an OpenClaw control mechanism, but the skill should declare that dependency and a configurable workspace path instead of embedding a specific user's path.
!
Instruction Scope
SKILL.md mandates creating/updating memory/hot/HOT_MEMORY.md and running the script to 'finalize compaction' and instructs removing large raw data after summarization. Those actions directly modify local session state and can cause loss of raw outputs if run incorrectly. The instructions also reference a 'Heartbeat' check and '/status' without specifying how to access that status endpoint or what privileges are required.
Install Mechanism
There is no install spec (instruction-only) which limits on-disk risk, but the included scripts/gc_and_checkpoint.sh will run locally and call external binaries. The lack of an install spec is not itself dangerous, but the script assumes the presence of an 'openclaw' command and a specific filesystem layout without declaring or installing them.
!
Credentials
The skill requests no environment variables or credentials, which superficially looks benign, but the script accesses a hard-coded absolute path and will read/write HOT_MEMORY.md under that workspace. This is disproportionate because the skill did not declare the need to access that path or the openclaw CLI; it therefore may unexpectedly touch user files. No secrets are requested, however.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges. It does invoke session compaction via the OpenClaw CLI which alters agent/session state — a legitimate action for this skill — but combined with the undeclared dependency and hard-coded path, it increases the risk of unintended state changes.
What to consider before installing
This skill appears to do what it says (manage context), but it contains unsafe assumptions and omissions. Before installing: (1) review and edit scripts/gc_and_checkpoint.sh — replace the hard-coded WORKSPACE with a configurable path and verify it points to the intended directory; (2) confirm the 'openclaw' CLI exists and is the correct binary, and add that as a declared dependency; (3) back up HOT_MEMORY.md and any large raw outputs — compaction can delete or permanently discard raw data; (4) test the script in a non-production environment to confirm behavior; (5) ask the author why no required binaries/config paths were declared and request explicit documentation for the heartbeat /status check; (6) if you cannot verify the script and its effects, do not run it with real sessions or sensitive data. These issues look like sloppy configuration rather than clearly malicious code, but they create an elevated risk of accidental data loss or unintended session changes.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97eck6j1bg2x9qmb7vm5r5zax82h7mw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Context Budgeting Skill

This skill provides a systematic framework for managing the finite context window (RAM) of an OpenClaw agent.

Core Concepts

1. Information Partitioning

  • Objective/Goal (10%): Core task instructions and active constraints.
  • Short-term History (40%): Recent 5-10 turns of raw dialogue.
  • Decision Logs (20%): Summarized outcomes of past steps ("Tried X, failed because Y").
  • Background/Knowledge (20%): High-relevance snippets from MEMORY.md.

2. Pre-compression Checkpointing (Mandatory)

Before any compaction (manual or automatic), the agent MUST:

  1. Generate Checkpoint: Update memory/hot/HOT_MEMORY.md with:
    • Status: Current task progress.
    • Key Decision: Significant choices made.
    • Next Step: Immediate action required.
  2. Run Automation: Execute scripts/gc_and_checkpoint.sh to trigger the physical cleanup.

Automation Tool: gc_and_checkpoint.sh

Located at: skills/context-budgeting/scripts/gc_and_checkpoint.sh

Usage:

  • Run this script after updating HOT_MEMORY.md to finalize the compaction process without restarting the session.

Integration with Heartbeat

Heartbeat (every 30m) acts as the Garbage Collector (GC):

  1. Check /status. If Context > 80%, trigger the Checkpointing procedure.
  2. Clear raw data (e.g., multi-megabyte JSON outputs) once the summary is extracted.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…