Skill

If the external installer or upstream project is compromised, it could change the user's local environment or agent tooling.

The Pro engine installer downloads a shell script from GitHub, executes it, and then runs a global auto-patch command. This is disclosed and related to token compression, but the provided artifacts do not show checksum/signature verification or a separate approval step before execution.

The agent could act on stale or cached tool output, or a repeated command could be skipped when the user expected it to run again.

The cache hook can intercept tool calls, including selected bash commands, and return a cached result instead of letting the live tool run. Some regex-based bash allowlisting, such as all rtk commands and find, may be broader than strictly read-only behavior.

Sensitive file contents or command output seen by the agent may persist in a local SQLite database and may be reused later as context.

The Pro cache stores tool results locally, including outputs from file reads, searches, grep, and some bash commands. The artifacts do not show path exclusions, secret filtering, encryption, or age-based deletion; the 4-hour check limits reuse but old entries can remain in the database until pruned by count.

Bash tool behavior may continue to be modified after setup and may affect future OpenClaw sessions beyond the immediate cost-optimization task.

The Engine setup installs a global PreToolUse hook that transparently rewrites bash commands. This is aligned with the compression feature, but it is persistent and globally scoped rather than limited to a single session or task.

The license key is transmitted to the vendor and stored locally where other local processes or users with file access may read it.

Pro activation sends the license key to api.clawtk.co and stores it in ~/.openclaw/clawtk-state.json. This is expected for a paid integration, but it is credential-like data.