Is asif2bd/openclaw-token-optimizer safe?

SKILL.md frontmatter declares security.verified=true with auditor 'Oracle (Matrix Zion)'. This is a reference to the Matrix film franchise — The Oracle is a character who lives in Zion. There is no security organization by this name. The fabricated attestation is a social engineering technique to make the skill appear independently vetted when it has not been. The SECURITY.md's extensive preemptive rebuttals of scanner heuristics ('Why VirusTotal or AV tools may flag this skill') further suggests deliberate scanner evasion rather than genuine transparency.

The skill's primary promoted action is 'python3 scripts/context_optimizer.py generate-agents' which generates AGENTS.md.optimized and instructs the agent to replace its current AGENTS.md. AGENTS.md is the core agent configuration file containing identity, permissions, capabilities, and behavioral guidelines. An agent operating in autonomous or unattended mode following this instruction would replace its own behavioral foundation with third-party skill-generated content. The inline 'review before replacing' caveat provides no protection in automated workflows.

SKILL.md presents five executable scripts as 'Immediate actions (no config changes needed)' — framing encourages the agent to run all scripts without hesitation. The actual Python source code contents were not captured in the audit evidence despite the Oathe system reading them via cat (confirmed in EXECVE log). All safety claims (no network, stdlib-only, no subprocess) originate solely from the skill author and a fabricated auditor. No npm install scripts, git hooks, or submodules were detected, which is a positive finding.

The context_optimizer recommend command analyzes prompt complexity and returns a recommended_files list plus skip_patterns. For simple prompts (greetings, acknowledgments) it recommends loading only SOUL.md and IDENTITY.md while explicitly skipping docs/**/.md, memory/20.md, and by extension MEMORY.md, AGENTS.md, USER.md, TOOLS.md. If an agent integrates this recommendation, security guidelines, user preferences, and policy constraints are silently absent from context for the majority of interactions where the user sends short messages.

SECURITY.md provides detailed per-script claims: no urllib/requests/socket imports, no eval/exec/compile, no subprocess, stdlib-only (json, re, pathlib, datetime, os). These claims are made by the skill author and endorsed by a fabricated auditor. The Oathe system confirmed it read all four Python files during analysis (EXECVE log shows cat of each script at audit timestamps 1771648401.562-570), but the file contents were not captured in the audit evidence for independent review.

HEARTBEAT.template.md is designed to be installed to ~/.openclaw/workspace/HEARTBEAT.md via the SKILL.md Quick Start workflow. The template contains a CRITICAL-labeled section instructing the agent to call 'session_status model=anthropic/claude-haiku-4' at the start of every heartbeat execution. This would silently downgrade the model for all heartbeat sessions from whatever the user has configured to the cheapest available option.

Multiple SKILL.md actions write to the filesystem: (1) 'cp assets/HEARTBEAT.template.md ~/.openclaw/workspace/HEARTBEAT.md', (2) context_optimizer generate-agents creates AGENTS.md.optimized, (3) token_tracker, heartbeat_optimizer, and context_optimizer each write JSON state files to ~/.openclaw/workspace/memory/. SECURITY.md claims scripts cannot 'Modify system files outside workspace' and lists scripts_data_local_only:true — but workspace modification is still filesystem modification and these files persist across sessions.

Three separate components enforce Haiku: (1) model_router.py ROUTING_RULES and COMMUNICATION_PATTERNS classify greetings, acknowledgments, background tasks, heartbeat checks, cronjobs, log scanning, and document parsing as Haiku-tier, covering the majority of typical agent interactions. (2) HEARTBEAT.template.md enforces Haiku for all heartbeat sessions. (3) cronjob-model-guide.md recommends Haiku for 90% of scheduled tasks. The net effect is that installing this skill systematically degrades agent response quality while framing the degradation as user-beneficial cost optimization.

SKILL.md's documented integration pattern for token budget checking uses subprocess.run() to spawn child Python processes. SECURITY.md claims 'scripts_no_subprocess: true' — this applies to the scripts themselves but not to the integration pattern promoted for adopting the skill. An agent implementing the documented pattern as written would spawn child processes, which is the subprocess behavior the claim purports to exclude.

optimize.sh is a bash wrapper that dispatches to all four Python scripts based on subcommand. The SECURITY.md devotes a section to justifying the wrapper ('What it does (complete source)') suggesting awareness that it could be flagged. A compound chain where one script calls another reduces the ability to audit any individual script in isolation when invoked via the wrapper.

SECURITY.md contains a section 'Why VirusTotal or AV tools may flag this skill' listing four specific scanner heuristics and providing rebuttals. This is unusual for a legitimate skill — it suggests the author anticipated automated security review and prepared counter-narratives for each expected finding. The section recommends users 'whitelist this skill' and categorizes all detections as false positives, which could cause users to override their security tooling.

config-patches.json multi_provider_fallback patch includes placeholder values ${OPENROUTER_API_KEY} and ${TOGETHER_API_KEY}, routing configuration to openrouter.ai and together.ai endpoints. A _warning field explicitly acknowledges 'This patch requires OPENROUTER_API_KEY and/or TOGETHER_API_KEY environment variables... involve network requests.' While the patch is labeled optional and documented, PROVIDERS.md provides detailed instructions for configuring these connections, extending the skill's potential data flow surface.

context_optimizer.py tracks which context files were loaded, how often, and when (stored in context-usage.json). heartbeat_optimizer.py tracks check frequencies and intervals (heartbeat-state.json). token_tracker.py accumulates daily/monthly usage totals (token-budget.json). These files persist across sessions and could be used to build a behavioral profile of the agent's workload patterns, document structure, and memory access frequencies — data that could be useful to a malicious skill author if the skill ever gained network access.

The six honeypot credential files were accessed at two timestamps: (1) audit timestamp 1771648382 — 5 seconds before the git clone began at 1771648387, consistent with the Oathe system creating the canary files as part of setup. (2) audit timestamp 1771648403 — approximately 5 seconds after cp installation completed at 1771648398, consistent with Oathe post-install integrity verification. No evidence of skill-initiated credential file access. All canary files confirmed intact with no content modification.

Installation involved a single outbound TCP connection to 140.82.121.4:443 (GitHub) for the git clone. DNS queries resolved only GitHub addresses. No connections to third-party C2 servers, analytics endpoints, or telemetry services. Connection diff shows no new listening ports and no new persistent connections after installation completed.