openclaw-optimize

Security checks across malware telemetry and agentic risk

Overview

This optimization skill is mostly on-purpose, but it can delete OpenClaw history and run broad host-level cleanup without adequate warnings or confirmation.

Review carefully before installing. Avoid running this skill with sudo/root, back up ~/.openclaw/workspace/memory before using --full, --clean-history, optimize(), or auto_optimize(), and prefer report/diagnostic paths unless you explicitly want files deleted or system-level cache behavior changed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (23)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # Linux: 清理页面缓存 if os.path.exists('/proc/sys/vm/drop_caches'): subprocess.run(['sync'], check=True) with open('/proc/sys/vm/drop_caches', 'w') as f: f.write('3') except Exception as e:
Confidence: 93% confidence
Finding: subprocess.run(['sync'], check=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documents shell execution and file-modifying behavior but does not declare any permissions, which prevents informed consent and proper sandboxing by the host system. In this context, the skill can change configuration, clean history, install packages, restart services, and potentially invoke privileged operations, so undeclared capabilities materially increase risk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The documented purpose frames the skill as routine performance tuning, but the detected behavior extends into broader system/process inspection, system-level cache manipulation, memory limit changes, and scanning of additional workspace areas. That mismatch is dangerous because users may authorize a benign-seeming optimization skill without realizing it can inspect unrelated processes, alter runtime limits, and affect system stability or privacy.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script automatically runs `pip install psutil -q` when `psutil` is missing, which introduces software-installation behavior into a performance tool without explicit user consent. This expands the tool's capabilities, can modify the host environment unexpectedly, and may pull code from external package sources, creating supply-chain and change-control risk.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The advertised functionality includes history cleanup as a normal optimization operation, which can delete operational records that users may expect to retain. Because historical data may contain audit, troubleshooting, or memory context information, bundling deletion into an optimization tool increases the risk of accidental data loss.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The `--full` workflow invokes `cmd_clean_history` automatically, so a user requesting broad optimization will also trigger deletion of records without a dedicated decision point. In this skill context, that makes the behavior more dangerous because users may reasonably interpret 'full optimization' as tuning-only rather than destructive maintenance.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The optimizer performs destructive deletion of history files via clean_old() as part of full_optimize(), which exceeds passive monitoring/tuning and can remove user data without explicit consent. Even if intended for performance improvement, bundling deletion into an optimization routine creates a data-loss risk and violates least surprise for users invoking a performance tool.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The optimizer automatically deletes files from the workspace memory/history area based on age, which is a destructive capability rather than mere tuning or monitoring. Because auto_optimize() can trigger smart_cleanup() without confirmation, users may lose operational history, memory, or forensic data unexpectedly.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Writing to /proc/sys/vm/drop_caches and calling sync are privileged host-management operations that affect the entire Linux system, not just OpenClaw. This exceeds the stated optimization scope and can interfere with other workloads, require root access, and normalize unsafe use of elevated permissions in an application-level skill.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The comment claims to clear a Python cache, but the code actually executes sys.modules.clear(), which wipes the interpreter's module registry and can destabilize or break the running process. This mismatch is dangerous because reviewers or users may underestimate the impact of the action and allow it to run automatically.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README advertises 'one-click fix' and automatic optimization features without warning that they may modify system configuration, clear caches, or delete/alter user data. In an agent skill context, users may treat the command as safe and routine, increasing the chance of unintended destructive actions on history, settings, or runtime state.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documented history-cleaning capability lacks a clear statement that cleanup, archival, or deletion may be irreversible. Because this skill is positioned as an automation and performance tool, users may invoke cleanup to fix lag without understanding that important conversational or audit history could be permanently removed.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The history cleaning, vacuuming, and archiving commands can delete, compress, or relocate user conversation data without any warning about permanence, retention effects, or backup requirements. In a skill intended for troubleshooting, these actions are especially risky because users may run them quickly during incident response and lose data needed for recovery or audit.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: Configuration generation, apply, and reset commands can change active system behavior and potentially degrade availability, compatibility, or security posture, yet the documentation presents them as routine steps without caution. Users may unknowingly overwrite tuned settings or reset protective configuration while troubleshooting performance issues.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: Restart and automatic optimization steps can interrupt service and apply changes without operator review, but the skill content does not warn about downtime, side effects, or the scope of modifications. In production or shared environments, this can cause avoidable outages or unintended changes during a troubleshooting session.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Automatically installing a Python dependency without prior warning or confirmation is an unsafe side effect for a command-line maintenance tool. It can change system state, fail unpredictably under different privilege models, and expose the environment to unreviewed third-party package retrieval.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The history-cleaning path deletes records older than 3 days immediately, with no confirmation, preview, or recovery mechanism. This is dangerous because users can unintentionally destroy troubleshooting history, memory artifacts, or audit-relevant data simply by invoking the cleanup command.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: History cleanup permanently deletes files with unlink() based only on age and occurs without warning or confirmation in the cleanup path. A user or caller invoking optimization may unexpectedly lose potentially important memory/history artifacts, and a mistaken retention setting could amplify the damage.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The code deletes workspace history files older than a threshold without any user-facing warning, confirmation, or backup step. In the context of an 'automatic optimizer', this creates a high risk of silent data loss because users may expect performance tuning, not irreversible deletion of historical records.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The automatic optimization path performs aggressive memory manipulation, including repeated gc.collect() and the unsafe clearing of sys.modules, without clearly disclosing the operational risk. In a long-running agent process this can lead to instability, broken imports, or corrupted runtime behavior while appearing to be a routine optimization step.

Missing User Warnings

High

Confidence: 98% confidence
Finding: This code performs a privileged cache-clearing sequence on the host system and does so without prior warning or user consent. Because the action is system-wide and may require elevated rights, embedding it in a performance skill increases the chance of unexpected host impact and misuse under trusted automation.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The document promotes broad automatic behaviors like 'auto-detect', 'one-click fix', and 'auto-optimize' without defining scope, safeguards, or execution boundaries. In an agent skill context, vague automation can conceal impactful actions on files, processes, or configuration and prevents users from giving informed consent before changes occur.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The installation and usage text advertises cleanup, cache clearing, history cleanup, and one-click repair features without warning that they may delete data, alter history, or change system state. This is dangerous because users may invoke destructive maintenance actions assuming they are safe and reversible when the documentation gives no retention, backup, or confirmation guidance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal