Clawsaver
v1.4.7Reduce model API costs by 20–40% through intelligent message batching. Buffer related messages, send once.
⭐ 0· 536·1 current·1 all-time
by@ragesaq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (batching to reduce model calls) matches the provided code, examples, and docs. The skill requests no env vars or binaries and the included files (SessionDebouncer.js, example integration) are what you'd expect for this purpose.
Instruction Scope
SKILL.md and integration docs keep to batching/flush/metrics behavior and show how to call your own model; they do reference optional use of process.env.CLAWSAVER_PROFILE (an optional tuning hook) but that environment variable is not declared as required. The docs repeatedly assert "no telemetry / no network calls," which is consistent with the described in-memory debouncer, but you should still inspect the code (SessionDebouncer.js, example-integration.js) to confirm there are no hidden network calls or unexpected file reads.
Install Mechanism
There is no install spec (instruction-only at runtime), which is low-risk. However this bundle includes repository scripts (publish.sh, demo.js) that can perform network operations if executed — those are developer/publisher utilities, not required at runtime, but you should avoid running publish.sh or demo scripts until you audit them.
Credentials
The skill declares no required credentials or config paths. The only minor mismatch is optional documentation examples that read process.env.CLAWSAVER_PROFILE — an optional tuning variable, not a required secret. There are no unexplained requests for tokens/keys.
Persistence & Privilege
The skill does not request permanent presence (always is false) and does not attempt to modify other skills' configuration in the provided docs. Behavior is in-memory per-session debouncing; nothing indicates elevated privilege or forced inclusion.
Scan Findings in Context
[unicode-control-chars] unexpected: The static scan flagged unicode control characters in SKILL.md which can be used for prompt-injection or to hide content. This is unexpected for a plain documentation file and warrants manual inspection of the SKILL.md and code files to ensure there is no hidden or obfuscated content.
Assessment
High-level: ClawSaver appears coherent for the stated purpose — a small, in-memory session debouncer — and it does not request credentials or system-level access. Before installing or running in production: 1) Inspect SessionDebouncer.js and example-integration.js for any network calls, file-system reads/writes, or eval/child_process usage. 2) Do not run publish.sh or demo scripts until you audit them (they may contact registries). 3) Confirm tests (npm test) run in an isolated environment. 4) Pay attention to the unicode-control-chars scan finding in SKILL.md — open the file in a plain text editor to ensure nothing is hidden or obfuscated. If you want extra assurance, run the package in a staging sandbox and verify no outbound network connections occur during normal operation.Like a lobster shell, security has layers — review code before you run it.
latestvk97767syvtm6z6txevqcyh84rd826ns6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis