Security audit

agent-quantizer

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenClaw optimization/admin toolkit, but it can rewrite session history and user files with limited guardrails.

Install only if you are comfortable giving this skill admin-like control over local OpenClaw state. Manually back up sessions and prompt files before compression or trimming, avoid AI compression on sessions containing secrets, use dry-run modes where available, and review any proposed skill moves before confirming.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises and instructs execution of shell scripts that read, modify, back up, and delete local data, but it does not declare any permissions. This creates a transparency and consent failure: a user or platform may treat the skill as lower-risk while it actually has filesystem and shell execution capabilities, increasing the chance of unexpected destructive or privacy-impacting actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is optimization, but the described behavior includes broad session scanning, direct rewriting/deletion of session JSONL files, prompt trimming on arbitrary files, and AI-mediated context injection. This mismatch is dangerous because it obscures the real trust boundary and can lead users to invoke a seemingly harmless optimization tool that actually performs invasive local-data manipulation and potentially propagates altered context into agent state.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The skill is described as an API optimization tool, but it directly edits local OpenClaw session state files under ~/.openclaw. That hidden coupling to on-disk state increases risk because users may invoke an 'optimizer' expecting non-destructive tuning, while the script actually mutates persistent conversation history and can affect agent behavior or recoverability.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The AI compression path deletes the original session JSONL file and reconstructs state by injecting a summary, which can irreversibly destroy conversation history if summarization is incomplete, incorrect, or interrupted. In an agent skill context, conversation history may contain operational state, decisions, and audit trails, so destructive loss can materially impact integrity and traceability.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill exposes a cache-clearing command as a simple shortcut without any warning that data will be irreversibly removed or any indication that confirmation is needed. In an agent setting, terse natural-language triggers make accidental invocation more likely, causing loss of cached results, degraded performance, and possibly deletion of locally accumulated work product.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The AI summarization mode sends session context to an agent/API for summarization without prominently warning the user that prior conversation data may be transmitted or reprocessed. If sessions contain secrets, personal data, or sensitive operational context, this can create an unintended data disclosure path.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The compression workflow performs destructive deletion/replacement of session files without an explicit user confirmation step, increasing the likelihood of accidental data loss. Because this operates on agent conversation state, unintended execution can corrupt context, erase evidence, and change subsequent model behavior in ways that are hard to detect.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The trim command rewrites the specified file in place after applying aggressive regex-based transformations, but it does not warn the user, create a backup, or require confirmation. This can silently alter prompt meaning, remove important instructions, or destroy user-authored content in a way that is difficult to recover.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal