token-saver
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill could change model selection, schedules, prompts, or tool profiles, which may reduce cost but also alter how OpenClaw agents behave.
The skill may make persistent configuration changes to optimize token use. This is disclosed and purpose-aligned, and higher-risk changes require approval, but direct application of 'Safe' changes can still affect future agent behavior.
Techniques marked **Moderate** or **High** risk involve config changes, profile switches, or task merging... get explicit approval... Techniques marked **Safe** can be applied directly.
Before applying optimizations, ask the agent to show a diff, create backups, and get confirmation for any config change that affects scheduled tasks, model choices, tools, or prompts.
The generated audit report may expose details about private workspace context, memory summaries, or startup files.
The skill inspects startup context files and compacted context summaries. This is relevant to token auditing, but file names, sizes, prompts, or summaries may reveal private workspace information if copied into reports.
List every file that is injected at session start... If LCM (Lossless Context Management) is active, note the number and average size of compacted summary blocks injected per turn.
Review the audit report before sharing it, and ask the agent to report only names/sizes or redacted summaries rather than sensitive file contents.
There may be ambiguity about whether credential-bearing OpenClaw configuration is involved.
The supplied capability signal indicates possible sensitive-credential relevance, while the requirements list no required credentials. The visible SKILL.md excerpt does not show credential collection or transmission, so this is a metadata/capability notice rather than evidence of credential misuse.
requires-sensitive-credentials
Do not provide API keys, tokens, cookies, or session credentials unless the agent clearly explains why they are needed; prefer redacted config views for token-audit work.