Is context-optimizer safe?

Filesystem monitoring detected reads of .env, .aws/credentials, .openclaw/openclaw.json, and auth-profiles.json during the install phase. While some of these may be incidental to the Node.js/openclaw runtime, the .aws/credentials access is particularly concerning for a context management skill that has no stated need for AWS services.

The ContextArchive class stores full conversation content as JSON files on disk with no encryption, access controls, or data sanitization. The archive includes semantic embeddings and keyword indexes that make stored conversations easily searchable. This creates a persistent local data store of all conversations processed through this skill.

The skill imports and instantiates ContextOptimizerLogger from chat-logger.js, a file that handles conversation logging. The full source code of this file was not included in the evidence, creating a critical audit blind spot. The logger receives conversation data and optimization events but its behavior cannot be verified.

The @xenova/transformers dependency downloads the 'Xenova/all-MiniLM-L6-v2' embedding model (~80MB) from HuggingFace at runtime on first use. This represents an uncontrolled external code/data fetch that bypasses install-time monitoring.

tiktoken includes native bindings (WASM/native code) and @xenova/transformers is a large ML framework. Both introduce significant attack surface through their dependency trees and native code execution.

The skill includes multiple executable JavaScript files including a CLI tool (scripts/cli.js) and example integrations that read/write files. The CLI can read arbitrary JSON files and write output files.

The skill slug is 'context-optimizer' but SKILL.md metadata install command references 'context-pruner' directory, and internal code refers to itself as 'Context Pruner'. This mismatch could cause install scripts to execute in unexpected directories or confuse users about what is actually installed.

The skill is configured to always preserve system messages (preserveSystem: true) and high-priority messages while pruning others. If an attacker injects malicious instructions as system messages or high-priority messages, this skill will ensure they persist while legitimate user messages are pruned away.

During installation, the openclaw.json config file was read 6+ times and .profile/.bashrc were each read 5+ times. This pattern of repeated reads suggests systematic enumeration of user environment configuration rather than incidental access.

The installation process read /etc/machine-id which provides a unique identifier for the host machine. This has no legitimate purpose for a context optimization skill and could be used for tracking or fingerprinting.

The installation created lock files in /tmp/openclaw-1000/ and compiled JavaScript modules in /tmp/jiti/. While /tmp usage is common, the lock file and compiled modules persist beyond the install and could be leveraged by other processes.

The dynamic context feature filters messages based on 'relevance' scores. In adversarial scenarios, security warnings, safety disclaimers, or user safety instructions could be scored as low-relevance to the current query and silently removed from context, effectively suppressing safety guardrails.

Even if no network exfiltration occurs during install, the archive system creates a persistent on-disk store of all conversations. A future update, a companion skill, or another process on the same machine could read and exfiltrate this archived data.

All honeypot files (fake .env, SSH keys, AWS credentials) were verified intact after installation. No canary files were accessed or modified.