Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
上下文缓存管理器
v1.0.0提供fork-safe的上下文克隆、历史消息智能压缩和快速恢复,支持多Agent并发和会话高效管理。
⭐ 0· 65·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md and the provided Python implementation all align: the module compresses message history, clones fork-safe fields, saves/loads cache files, and exposes capture/restore/fork APIs. Nothing in the requirements requests unrelated cloud creds or external services. Note: using a user-home cache path (~/.openclaw/...) is reasonable for this purpose but could overlap with other local agent data.
Instruction Scope
Runtime instructions are focused on capturing, compressing, forking and restoring context and request file read/write permissions which are appropriate. However the SKILL.md contains content related to 'renderedSystemPrompt' and the pre-scan flagged a 'system-prompt-override' pattern — while handling system prompts is legitimate here, the presence of prompt-injection-like text means reviewers should confirm the skill does not attempt to overwrite agent/system prompts or otherwise manipulate agent trust boundaries.
Install Mechanism
No install spec; this is instruction+source-file only. Nothing is downloaded from external URLs and no installers are executed, which lowers supply-chain risk.
Credentials
The skill requests no external credentials, which fits the purpose. However the implementation serializes snapshots with pickle+gzip and later unpickles them from disk. Pickle can execute arbitrary code during deserialization if an attacker can write or replace cache files (e.g., in ~/.openclaw/...); this is a high-risk choice for persisted data. The skill also writes to user home paths that could be targeted by local attackers. Consider this disproportionate risk unless mitigated.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It creates and manages files under a workspace path in the user's home; that is a normal level of persistence for a cache manager.
Scan Findings in Context
[system-prompt-override] expected: The skill legitimately needs to capture and restore system_prompt/rendered_system_prompt fields, so references to system prompts are expected; however the pattern detector flagged potential prompt-injection wording in SKILL.md. Inspect whether the skill or its integration could be used to overwrite the agent's running system prompt or otherwise escalate privileges.
What to consider before installing
This skill appears to implement the advertised context caching features, but there are two important concerns to address before installing: 1) Pickle usage: the code persists snapshots with pickle and later unpickles them. If an attacker can create or replace files in the cache directory (~/.openclaw/workspace/.../context-cache), they can craft a pickle that runs arbitrary code when loaded. Mitigations: replace pickle with a safe format (JSON with strict schema) or sign/encrypt cache files and validate signatures before loading; restrict CACHE_DIR permissions; run the code in a sandbox. 2) Prompt-injection patterns: the SKILL.md and data model include system prompt fields. Ensure your agent platform does NOT allow this skill to overwrite the running system prompt or escalate privileges; verify any restored 'rendered_system_prompt' before applying it. Additional practical steps: review/modify the source to remove pickle or add signature checks, set CACHE_DIR to an isolated path, run the module under least privilege, and only install from a trusted source or after code review. If you cannot mitigate the pickle/deserialization risk, treat the skill as unsafe for environments where untrusted users or processes can write to your home directory.SKILL.md:27
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
cachevk97a1h3h2bj2c3362v6ayzfy5x84461cclaude-codevk97a1h3h2bj2c3362v6ayzfy5x84461ccontextvk97a1h3h2bj2c3362v6ayzfy5x84461clatestvk97a1h3h2bj2c3362v6ayzfy5x84461c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.