ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Deflate — Intelligent Context Compression

v1.0.0

Intelligent context compression for OpenClaw agents. Applies Cornell-MapReduce methodology to preserve information quality while reducing token cost by 60-80...

0· 179·0 current·0 all-time
byManuel@thevibestack
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (context compression) align with the SKILL.md content. However, the instructions repeatedly reference agent memory (MEMORY.md) and changes to agent config (openclaw.json) while the skill declares no required config paths or credentials. Reading/writing agent memory/config is plausible for this purpose, but the manifest doesn't declare those requirements, which is an incoherence to be aware of.
!
Instruction Scope
Runtime instructions tell the agent to detect topics, write/flush content to MEMORY.md, and include token-zone reports in every response. Crucially, the compression workflow's PRESERVE step explicitly requires preserving API keys, config values, and other sensitive data verbatim in compressed summaries. That means sensitive secrets could end up embedded in summaries the agent may send to models or other endpoints — a high-scope instruction that isn't scoped or constrained in the SKILL.md.
Install Mechanism
Instruction-only skill with no install spec, no code, and no downloads. This is low-risk from an install mechanism perspective.
!
Credentials
The skill does not request any environment vars or credentials, yet its methodology explicitly preserves API keys and config values. Asking to retain sensitive secrets verbatim is disproportionate unless the operator intentionally permits the agent to access those secrets — the manifest should have declared this requirement or provided guidance on redaction/handling of secrets.
Persistence & Privilege
always:false and normal autonomous invocation are set. The skill recommends edits to openclaw.json and saving to MEMORY.md, which implies persistent changes to agent configuration and storage, but these are only recommendations in README.md and not enforced by an installer. Still, the skill expects the agent to write to its memory/store; verify permissions and storage security before enabling.
What to consider before installing
This skill aims to reduce token cost and largely behaves like an instruction-only compression helper, but it explicitly asks you to preserve sensitive data (API keys, config values, URLs, IDs) unchanged in compressed summaries and to write/flush data to MEMORY.md and optionally change agent config. Before installing or enabling it: 1) Confirm where MEMORY.md (your agent memory) is stored and who/what can read it; ensure it is encrypted/accessible only to trusted processes. 2) Decide whether you want API keys and other secrets ever included verbatim in compressed session context — if not, modify the PRESERVE rules to redact or exclude secrets. 3) Test in a non-production agent to verify it doesn't leak sensitive data to external services. 4) If you will allow it to modify openclaw.json or memory automatically, ensure agent backups and permission controls are in place. If you cannot guarantee secure storage and handling of secrets, treat this skill as dangerous for chats that contain credentials or other sensitive tokens.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cpnmc1ft84xm5w5m76g5jtd8385h9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments