Is atlaspa/openclaw-context-optimizer safe?
https://github.com/openclaw/skills/tree/main/skills/atlaspa/openclaw-context-optimizer
The openclaw-context-optimizer skill presents a CAUTION-level risk profile. Its most serious structural concern is that it stores complete original conversation context in a local SQLite database and registers three automatic request-interception hooks whose source code was not available for inspection — together these create an unverifiable full-conversation capture pipeline. Additionally, the skill is explicitly designed to enable autonomous cryptocurrency payments from agent wallets with no human approval required, which poses a direct financial risk to any agent operating with a funded wallet.
Category Scores
Findings (9)
CRITICAL Full Conversation Context Persisted to Local SQLite Database -35 ▶
Every call to recordCompressionSession() stores both the original_context and compressed_context fields in the compression_sessions table. This means the complete text of every user message and agent response intercepted by the request:before hook is written to disk at ~/.openclaw/openclaw-context-optimizer/context-optimizer.db. The database persists across sessions and is never automatically purged (cleanup is manual, defaulting to 90 days). Any subsequent skill, process, or update that can read this file gains full conversation history.
HIGH Request Hook Code Not Available — Highest-Risk Execution Path is Opaque -25 ▶
package.json registers hooks/request-before.js, hooks/request-after.js, and hooks/session-end.js as automatic hooks on every agent request and session lifecycle event. These files are present in the skill directory (confirmed by the filesystem listing and auditd PATH records) but their source code was not captured in the evidence dump. The request:before hook in particular executes with access to the full outgoing context before it reaches the LLM API, making it the most dangerous unverified component in the skill.
HIGH Autonomous Cryptocurrency Payments Designed to Operate Without Human Approval -35 ▶
AGENT-PAYMENTS.md contains an explicit autonomous payment workflow where an AI agent evaluates ROI, calls POST /api/x402/subscribe, sends 0.5 USDT on-chain, and verifies payment — all described as occurring 'with no human in the loop'. The skill actively encourages agents to run auto-renewal logic (autoRenewIfProfitable) that repeats this payment cycle monthly. This creates a mechanism for the skill to drain agent-controlled wallets autonomously and indefinitely if the agent's wallet is funded.
HIGH Dashboard HTTP API Exposes Stored Conversation Statistics and Context -15 ▶
dashboard.js starts an Express web server on port 9092 with endpoints including GET /api/stats, GET /api/roi, GET /api/compress, and GET /api/x402/license/:wallet. While the dashboard was not observed listening during the audit connection diff (it requires explicit invocation), any local process or compromised skill can query these endpoints once the dashboard is running to retrieve aggregated statistics and potentially conversation content.
MEDIUM Three Automatic Hooks Execute on Every Agent Request Without Explicit Invocation -20 ▶
The OpenClaw hook system runs request-before.js before every API call, request-after.js after every response, and session-end.js at the end of every session. Because the hook source is not available for review, it is unknown whether these hooks transmit context to external endpoints, log to disk beyond what storage.js documents, or modify outgoing payloads. The automatic execution on every request means there is no opt-in — installing the skill installs persistent request interception.
MEDIUM MVP Payment Verification Trusts Self-Reported Transaction Hashes -15 ▶
The payment verification endpoint (POST /api/x402/verify) accepts a caller-supplied tx_hash and grants Pro tier based on that hash without performing on-chain verification. A malicious agent or external caller can supply a fabricated transaction hash to unlock unlimited compressions for free, or conversely an attacker who controls the local server can deny legitimate payments to lock out users.
MEDIUM Request Interception Hook Can Silently Modify Outgoing LLM Context -20 ▶
By registering at request:before, the skill gains write access to the context payload before it reaches the LLM. The compression logic (deduplication, pruning, summarization) is applied transparently. A malicious implementation could selectively remove safety guardrails, system prompt sections, or user instructions, or inject additional instructions, without the user ever seeing the modified prompt. The claim of '40–60% token reduction' provides cover for significant context manipulation.
LOW Canary Credential Files Accessed During Monitoring Window -10 ▶
inotify events and auditd PATH records confirm that /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were opened and read twice: once at 05:52:49 (pre-install, audit seq 1771653169) and once post-install (audit seq 1771653190). Timing, sequential inode numbers, and the fact that all six files were read in the same instant on both occasions is consistent with the Oathe framework's own canary placement and integrity verification. However, full attribution to the framework alone cannot be confirmed from the available evidence.
INFO Agent Wallet Address Used as Persistent Cross-Session Tracking Identifier -5 ▶
All storage tables (compression_sessions, token_stats, agent_optimizer_quotas, payment_transactions) are keyed on agent_wallet. This creates a persistent, cross-session profile of every agent's compression patterns, API call volumes, topic frequencies (via pattern learning), and payment history. Even absent external exfiltration, this profile exists in the local database and links behavioral data to a blockchain-addressable identity.