Skill
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: clawtk Version: 1.1.0 The bundle provides cost-optimization tools but employs high-risk implementation patterns, most notably a 'curl | sh' installer in scripts/install-engine.sh that downloads and executes a shell script from a remote GitHub repository. Additionally, the caching hook in hooks/clawtk-cache/handler.ts is vulnerable to SQL injection because it uses template literals to construct queries for the sqlite3 CLI using potentially untrusted tool names and parameters. While these behaviors are documented and align with the stated purpose of token compression and spend management, the combination of remote code execution and lack of input sanitization in hooks warrants a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the external installer or upstream project is compromised, it could change the user's local environment or agent tooling.
The Pro engine installer downloads a shell script from GitHub, executes it, and then runs a global auto-patch command. This is disclosed and related to token compression, but the provided artifacts do not show checksum/signature verification or a separate approval step before execution.
curl -fsSL "$installer_url" -o "$tmp_installer" ... sh "$tmp_installer" ... rtk init -g --auto-patch
Prefer manual installation from a verified release, add checksum/signature verification, and ask the user for explicit confirmation before executing downloaded installers or global patch commands.
The agent could act on stale or cached tool output, or a repeated command could be skipped when the user expected it to run again.
The cache hook can intercept tool calls, including selected bash commands, and return a cached result instead of letting the live tool run. Some regex-based bash allowlisting, such as all rtk commands and find, may be broader than strictly read-only behavior.
const CACHEABLE_TOOLS = new Set(["read_file", "list_directory", "search_files", "glob", "grep", "bash"]); ... /^rtk\b/ ... return { cached: true, cachedResult: cachedMake command-result substitution opt-in, use stricter read-only command parsing, include workspace/session/file-state checks in cache keys, and provide a clear disable/clear-cache command.
Sensitive file contents or command output seen by the agent may persist in a local SQLite database and may be reused later as context.
The Pro cache stores tool results locally, including outputs from file reads, searches, grep, and some bash commands. The artifacts do not show path exclusions, secret filtering, encryption, or age-based deletion; the 4-hour check limits reuse but old entries can remain in the database until pruned by count.
const CACHE_DB = join(OPENCLAW_DIR, "clawtk-cache.db"); ... setCache(hash, toolName, event.result); ... const MAX_CACHE_ENTRIES = 5000
Document exactly what is cached, exclude sensitive paths and secret-like outputs, purge expired entries, restrict file permissions, and give users an easy cache clear/disable option.
Bash tool behavior may continue to be modified after setup and may affect future OpenClaw sessions beyond the immediate cost-optimization task.
The Engine setup installs a global PreToolUse hook that transparently rewrites bash commands. This is aligned with the compression feature, but it is persistent and globally scoped rather than limited to a single session or task.
# This installs the PreToolUse hook that transparently rewrites bash commands rtk init -g --auto-patch
Clearly show the exact global changes before applying them, provide a verified uninstall/rollback path, and offer a session- or project-scoped installation mode.
The license key is transmitted to the vendor and stored locally where other local processes or users with file access may read it.
Pro activation sends the license key to api.clawtk.co and stores it in ~/.openclaw/clawtk-state.json. This is expected for a paid integration, but it is credential-like data.
response=$(curl ... -d "{\"key\": \"$key\"}" "$API_BASE/validate" ... ) ... '.tier = $tier | .licenseKey = $key | .activatedAt = $date'Users should only activate with a key they are comfortable sending to ClawTK; the skill should store only a scoped token or protect the state file permissions.