Security audit

token-optimizer-off

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its token-compression purpose, but it can automatically send conversation content to an AI provider, persist it in global OpenClaw memory, and its uninstall instructions can delete all OpenClaw memory.

Install only if you are comfortable with this skill using your OpenClaw AI credentials to process conversation summaries and store compressed memory across sessions. Prefer dry-run/manual compression, review generated summaries for secrets, and do not run rm -rf ~/.openclaw/memory unless you intentionally want to erase all OpenClaw memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (10)

Tainted flow: 'STATE_FILE' from os.getenv (line 22, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: def save_state(state: dict): """保存会话状态""" os.makedirs(SESSIONS_DIR, exist_ok=True) with open(STATE_FILE, 'w', encoding='utf-8') as f: json.dump(state, f, ensure_ascii=False, indent=2)
Confidence: 90% confidence
Finding: with open(STATE_FILE, 'w', encoding='utf-8') as f:

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The script sends entire session contents to a remote AI endpoint for compression, which can expose sensitive notes, paths, decisions, errors, and potentially credentials contained in the session summary. This is materially more dangerous because the stated task is local session summarization, yet the implementation performs network transmission of potentially sensitive local memory data.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The uninstall instructions tell users to remove `~/.openclaw/memory`, which the document itself states is OpenClaw's global memory directory, not a skill-local path. This can destroy unrelated application data and user history during routine uninstall, creating significant data-loss risk even without an attacker actively exploiting it.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly instructs users to perform a real session compression and save operation, while the documented memory layout shows data is written under ~/.openclaw/memory rather than remaining inside the skill directory. Without a clear warning about persistent modification of external conversation memory, users may unintentionally overwrite or alter retained session context, which can affect privacy, integrity, and recoverability of conversation history.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README states the tool automatically uses OpenClaw AI configuration and later documents custom API keys and API URLs, implying conversation content may be sent to an external model provider. Because there is no privacy or credential-handling warning, users may unknowingly transmit sensitive session data or expose secrets through inherited configuration, especially in a tool designed to process large conversation histories.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly says compression may run automatically and silently, while elsewhere documenting that summaries are stored persistently under ~/.openclaw/memory/. That combination creates a real privacy and consent risk because users may not realize their conversation content is being written to disk and retained across sessions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Although the tool description mentions use of AI configuration, it does not clearly warn users that their session content will be transmitted to an external provider. Users may reasonably believe this is a local compression utility that updates a local markdown file, so the missing disclosure undermines informed consent for data sharing.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The compression rules instruct retention of sensitive configuration details, including API addresses, paths, and key prefixes, inside persistent memory summaries. Persisting such data increases the blast radius of any local compromise, accidental disclosure, cross-task leakage, or later prompt/context exposure, especially because this skill is specifically designed to reload memory across future sessions.

Unpinned Dependencies

Low

Category: Supply Chain
Content: openai>=1.0.0
Confidence: 95% confidence
Finding: openai>=1.0.0

Tool Parameter Abuse

High

Category: Tool Misuse
Content: rm -rf ~/.openclaw/workspace/skills/token-optimizer # 可选：删除记忆文件 rm -rf ~/.openclaw/memory ``` ## 获取帮助
Confidence: 97% confidence
Finding: rm -rf ~/.openclaw/

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal