ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Token Pilot

Automatic token optimization during interaction. Behavioral rules + plugin synergy + workspace analyzer. Pure Node.js, cross-platform. Activate on session st...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 226 · 1 current installs · 1 all-time installs
by@beyound87
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code: Node.js scripts audit, catalog, and optimize workspaces, crons, and agent config to reduce token usage. The required capabilities (filesystem access under ~/.openclaw, Node runtime) are proportional to this purpose.
!
Instruction Scope
SKILL.md instructs agents to read workspace files, create disk context files, move junk files to scripts/, and delete BOOTSTRAP.md when --apply is used. Those are coherent with 'cleanup' but are destructive operations (move/delete) that affect user files. SKILL.md also states the 6 rules 'apply every session automatically' which is ambiguous — the skill metadata does not set always:true and the code only runs when invoked; this mismatch could lead to unexpected autonomous behavior if the agent implements the rules. Recommend caution because the runtime instructions permit broad filesystem reads and changes (across all ~/.openclaw/workspace-*), and writing context files to disk may expose data in different locations.
Install Mechanism
No network downloads or install scripts; code is bundled with the skill and uses only Node built-ins (fs/path/os). There is no external URL/extraction risk. This is the lower-risk install profile.
Credentials
No required environment variables or external credentials are requested. Scripts use standard environment values (home dir, APPDATA) to find OpenClaw dirs; that is consistent with the stated functionality.
!
Persistence & Privilege
Metadata sets always:false (normal), but SKILL.md claims rules 'apply every session automatically' which is inconsistent. While the skill itself does not declare forced persistent installation, its behavior (auto-detection of all ~/.openclaw/workspace-* and ability to move/delete files with --apply) means it can materially change user state if run. This combination (ambiguous auto-apply claim + filesystem-modifying actions) is the primary privilege concern.
What to consider before installing
This skill appears to do what it claims (audit and optimize OpenClaw workspaces) but it will scan all ~/.openclaw/workspace-* directories and can move or delete files when run with --apply. Before installing or running it: 1) Review the scripts (audit.js/optimize.js/catalog.js) line-by-line to confirm no unintended paths are targeted; 2) Run audit/optimize without --apply first to see recommendations; 3) Back up your ~/.openclaw workspaces or use a copy/temporary environment; 4) Do not run --apply until you are comfortable with the exact file operations; 5) Clarify how the SKILL.md 'auto-apply every session' behavior is enforced in your agent (metadata does not mark the skill as always:true) — disable autonomous invocation or confirm agent policy if you don't want rules implicitly enforced. If you need higher assurance, run the scripts in a sandboxed account or container first.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.4.0
Download zip
latestvk97b1j6k2gcmtj8q0jpg1c6xys82heen

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Token Pilot

Auto-Apply Rules

These 6 rules apply every session automatically. No scripts needed.

R1: Smart Read

read(path, limit=30) first. Full read only for files known <2KB. Use offset+limit for surgical reads. Never blind-read >50 lines. Exception: When building ACP context files (coding-lead), read project standards files fully — incomplete context causes ACP failures that waste more tokens than the initial read.

R2: Tool Result Compression

Tool result >500 chars → extract relevant portion only. Summarize, don't echo.

R3: Response Brevity

QueryLength
Yes/No, simple factual1-3 lines
How-to5-15 lines
AnalysisAs needed

"Done." is a valid reply. Never pad short answers.

R4: No Repeat Reads

Never re-read a file unless modified since last read or explicitly asked.

R5: Batch Tool Calls

Independent calls → one block. read(A) + read(B) + read(C) not three round-trips.

R6: Output Economy

  • edit over write when <30% changes
  • Show changed lines + 2 context, not full files
  • Filter exec output before dumping

Plugin Synergy (auto-detect, graceful fallback)

[qmd] Search Before Read

qmd/memory_search("keyword") → exact file+line → read(offset, limit). Fallback: grep / Select-String with targeted patterns.

[smart-agent-memory] Avoid Re-Discovering

memory recall "topic" before investigating → skip if already solved. After solving: memory learn to prevent re-investigation. Fallback: memory_search + MEMORY.md files.

[coding-lead] Context File Pattern

Write context to disk → lean ACP prompt ("Read .openclaw/context.md") → significant savings vs embedding. Prefer disk context files for large context, but include essential info (project path, stack, key constraint) directly in spawn prompt (~200-500 chars) so ACP agent can bootstrap even if context file is missing.

ACP model awareness: claude-code (complex) → codex (quick) → direct exec (simple <60 lines).

[multi-search-engine] Search Economy

Simple: web_search 3 results. Research: 5 results, web_fetch best one only. Fallback: web_search → web_fetch (tavily 已废弃,不要配置).

[team-builder] Multi-Agent Awareness

  • Light cron tasks: lightContext + cheapest model
  • Cron prompts <300 chars; SOUL.md has detailed behavior
  • Agent SOUL.md <600 tok; methodology in references/ only

On-Demand Commands

# Audit (read-only diagnostics)
node {baseDir}/scripts/audit.js --all             # Full audit
node {baseDir}/scripts/audit.js --config          # Config score (5-point)
node {baseDir}/scripts/audit.js --synergy         # Plugin synergy check

# Optimize (actionable recommendations)
node {baseDir}/scripts/optimize.js                # Full scan: workspace + cron + agents
node {baseDir}/scripts/optimize.js --apply        # Auto-fix workspace (cleanup junk, delete BOOTSTRAP.md)
node {baseDir}/scripts/optimize.js --cron         # Cron model routing + lightContext + prompt compression
node {baseDir}/scripts/optimize.js --agents       # Agent model tiering recommendations
node {baseDir}/scripts/optimize.js --template     # Show optimized AGENTS.md template (~300 tok)

# Catalog
node {baseDir}/scripts/catalog.js [--output path] # Generate SKILLS.md index

Config Recommendations

{
  "bootstrapMaxChars": 12000,
  "bootstrapTotalMaxChars": 20000,
  "compaction": { "mode": "safeguard" },
  "heartbeat": { "every": "55m", "activeHours": { "start": "08:00", "end": "23:00" } }
}

Model Routing

ComplexityModel TierExamples
LightCheapest (gemini/haiku)inbox scan, status check
MediumMid (gpt/sonnet)web search, content
HeavyTop (opus)architecture, briefs

References

  • references/workspace-patterns.md — File organization for minimal token cost
  • references/cron-optimization.md — Cron model routing guide

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…