ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

context-engineer

v1.0.2

Context window optimizer — analyze, audit, and optimize your agent's context utilization. Know exactly where your tokens go before they're sent.

0· 626·2 current·2 all-time
byTodd Kuehnl@tkuehnl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is described as a context window optimizer and the code and SKILL.md show it scans workspace files (SKILL.md, MEMORY.md, skills/*/SKILL.md, and .openclaw/openclaw.json) and produces token/efficiency reports — the requested binary (python3) and the file reads are appropriate for that purpose.
Instruction Scope
Instructions explicitly tell the agent to run the included Python script against a workspace or OpenClaw config; the script reads many user files under the provided workspace and can write snapshots. This matches the stated scope, but it does mean the skill will examine any files you point it at (which may contain sensitive data).
Install Mechanism
No install spec or third-party downloads are declared; the skill is instruction-only and ships a Python script that runs with the stdlib. No network fetches or external package installs are required according to the metadata and SKILL.md.
Credentials
No environment variables, credentials, or config paths beyond the workspace/config paths are requested. The script reads local workspace and OpenClaw config files only, which is proportionate to a context-auditing tool.
Persistence & Privilege
always is false and the skill does not declare any persistent system-level installation. Its writable actions are limited to saving snapshots/files you explicitly name; it does not request to modify other skills or global agent settings.
Assessment
This skill appears to do what it says: it inspects your agent workspace and OpenClaw config and writes analysis snapshots. Before installing or running it: 1) Understand it will read any files you point it at (SKILL.md, MEMORY.md, configs, skills/*/SKILL.md) — do not point it at directories containing secrets you don't want analyzed. 2) Review context.py (or run it in a sandbox) to confirm there are no network/exfiltration calls; the visible code shows only local file I/O and reporting, but the provided context.py snippet in this review was partial, so double-check the full file for network/socket/HTTP usage. 3) When running, avoid using elevated privileges and keep backups of any files you modify; inspect any saved snapshot JSON before sharing, since it may contain extracted text from your workspace. If you want extra assurance, run the script on a copy of your workspace or in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk974h41wwe7xyctc50wpmp7jp981kz2e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔬 Clawdis
Binspython3

Comments