Context Compactor (Zero Dep)

Security checks across malware telemetry and agentic risk

Overview

This skill stores local conversation summaries as advertised, with privacy caveats but no evidence of hidden exfiltration, credential abuse, or destructive behavior.

Install only if you are comfortable with conversation summaries being saved under the OpenClaw workspace and reused in later sessions. Avoid compacting sessions with secrets or sensitive internal details, and review compact files if privacy matters because redaction is helpful but not complete.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill performs environment access plus file read/write behavior, but does not declare permissions explicitly. That reduces transparency and weakens platform policy enforcement because users and orchestrators may not realize the skill persists and rehydrates session data from disk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The declared description frames the skill as simple conversation compression, but the documented behavior also includes listing historical compacts, reading the latest compact, computing stats, and accepting raw stdin for storage. This mismatch can mislead users into invoking a persistence and retrieval mechanism with broader data handling than advertised.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The extraction rules instruct the agent to capture URLs, file paths, configs, and technical details as facts, directly contradicting the earlier hard redaction rules that forbid storing paths and internal URLs. In practice, contradictory guidance often leads to sensitive infrastructure data being summarized into persistent memory files.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The sample compact contains concrete domain names, repository references, database file locations, hostnames, and operational details despite the stated prohibition on paths, internal URLs, and sensitive technical location data. Examples strongly shape agent behavior, so this sample materially increases the chance of persistent leakage of sensitive context.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: Broad triggers like 'summarize this conversation' or 'start fresh but remember' overlap with normal chat phrasing and can cause the skill to activate without clear, informed consent to persist content. Because this skill writes durable summaries to disk, accidental activation has privacy and retention consequences beyond a transient summary response.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The 'When to Compact' section uses vague activation conditions like context feeling bloated or user saying 'summarize', which are insufficiently bounded for a persistence feature. Ambiguous triggers increase the likelihood of saving sensitive conversational material when the user only intended a temporary recap.

Missing User Warnings

Low

Confidence: 71% confidence
Finding: The retention policy auto-deletes older compacts after 30 entries, but that behavior is not surfaced prominently in the skill description. While not a direct exploit vector, poor disclosure can create data governance and user expectation problems around durability and auditability.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: This tool persists derived conversation content to disk under a workspace path, but the interface and top-level documentation do not clearly warn users that session data will be stored locally. In a context-compaction skill, this is more sensitive than usual because conversations often contain project details, operational context, and residual secrets that may survive imperfect redaction, creating privacy and data-retention risk on shared or synced systems.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Security ### Write Restrictions (Hard Rules) The agent may ONLY write to these locations: - `memory/compacts/` — compact files only - `SESSION-STATE.md` — via smart-memory skill (not this skill)
Confidence: 84% confidence
Finding: Write Restrictions (Hard Rules) The agent may ONLY write to these locations: - `memory/compacts/` — compact files only - `SESSION-STATE.md` — via smart-memory skill (not this skill) The agent MUST NO

Session Persistence

Medium

Category: Rogue Agent
Content: ### How to Compact The agent drafts the compact content, then saves it via: ``` echo "compact content" | python3 scripts/compact_session.py --write ``` The `--write` flag enforces all security checks programmatically: redaction of paths/URLs/IPs/secrets, path containment within workspace, and file naming. The agent NEVER writes directly to disk.
Confidence: 86% confidence
Finding: write ``` The `--write` flag enforces all security checks programmatically: redaction of paths/URLs/IPs/secrets, path containment within workspace, and file naming. The agent NEVER writes directly to

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal