proxy-token-optimizer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a legitimate cost-optimization helper, but its database reporting and generated agent-configuration files should be used intentionally.
Before installing or using this skill, verify the package version, run the database reporting commands only in an authorized openclaw-manager environment, treat generated usage reports as potentially sensitive, and review any generated AGENTS.md or heartbeat configuration before applying it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against a production database, the skill can reveal platform usage patterns, instance names, and quota-plan information in the agent output.
The platform-side advisor uses the openclaw-manager application database session and reads instance, quota, and usage data. This is disclosed and aligned with quota analysis, but it depends on privileged project database access.
from app.database import SessionLocal ... FROM instances i LEFT JOIN instance_quotas q ... FROM usage_records
Run the DB-reporting commands only in the intended openclaw-manager environment, with appropriate authorization, and avoid sharing generated reports outside the intended audience.
If adopted, the generated file may cause future agents to load less context by default, which can save tokens but may omit information needed for some tasks.
The context optimizer can generate a persistent AGENTS.md-style instruction file that changes future context-loading behavior. It writes a separate AGENTS.md.optimized file and asks the user to review it, so this is user-directed rather than hidden.
output_path = Path("AGENTS.md.optimized") ... "每次会话必须加载" ... "不要加载其他文件,除非下面的条件触发。"Review AGENTS.md.optimized carefully before replacing any live AGENTS.md, and adjust the loading rules for your project’s privacy and reliability needs.
A version mismatch can make it harder to verify exactly which package version is installed or reviewed.
The registry metadata provided for review lists version 1.0.1, while the packaged _meta.json lists 1.0.0. This is a minor provenance/coherence issue, not evidence of unsafe behavior.
"version": "1.0.0"
Confirm the installed package version matches the registry entry, and maintainers should align _meta.json with the published version.