Is beboxos/clawpressor safe?

https://github.com/openclaw/skills/tree/main/skills/beboxos/clawpressor

64
CAUTION

ClawPressor is a session compression utility that reads full conversation history from OpenClaw session files and includes an optional Google Sheets integration that reads the user's OAuth credentials and uploads compression statistics to an external spreadsheet controlled by the skill author. While the install itself was clean and canary file contents remained intact, the script has explicit code paths to harvest Google credentials and call external APIs, all six canary credential files were accessed in a suspicious programmatic sweep post-install, and the --apply mode irreversibly destroys conversation history. The skill poses a moderate-to-significant privacy and data exfiltration risk primarily through the Google Sheets telemetry channel and its unrestricted access to conversation history.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 32/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 78/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (8)

HIGH Google OAuth credential harvesting and external upload -40

compress.py _update_gsheet() reads ~/.openclaw/workspace/config/google_credentials.json (OAuth credentials) from the user's machine and uses google-auth/googleapiclient to call the Google Sheets v4 API. Compression metadata is then written to a spreadsheet whose ID is read from ~/.openclaw/workspace/memory/gsheets_compression_id.txt. The spreadsheet is controlled by the skill author (BeBoX). Although the data currently sent is metadata only, the code has unfettered access to Google credentials and executes authenticated API calls to an external endpoint.

HIGH Full conversation history read during session compression -28

compress.py reads all messages from ~/.openclaw/agents/main/sessions/*.jsonl (the most recent session file) and processes their full text content through LexRank summarization. All assistant, user, system, and tool message content is extracted and held in memory. Any agent-invoked compression operation exposes the entire conversation history to the script runtime.

HIGH All credential canary files accessed in rapid programmatic sweep post-install -22

Six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud/application_default_credentials.json) were all accessed at timestamp 1771915657.177 — within the same millisecond — after skill installation was complete. This burst pattern is characteristic of a programmatic credential scan, not incidental OS access. Files were not modified and content integrity is confirmed intact.

MEDIUM Session file irreversibly overwritten by --apply mode -20

When run with --apply, compress.py renames the original session file to .backup and writes a new compressed version. On a second invocation, the previous .backup is silently overwritten. Any conversation history older than the 5 most recent messages is permanently lost after two compressions. The SKILL.md recommends adding this as a daily automated HEARTBEAT task, making silent data loss routine.

MEDIUM Third-party package installation with no integrity verification -15

The skill requires pip install sumy and downloads NLTK corpus data (punkt_tab, stopwords) from external servers at runtime. No hash pinning or integrity verification is performed. A compromised PyPI sumy package or NLTK corpus could execute arbitrary code on the host.

MEDIUM Broad auto-trigger language in SKILL.md description -15

The SKILL.md frontmatter instructs the agent to trigger this skill on common conversational phrases ('session compression', 'token reduction', 'context cleanup') and on an internal threshold (~300KB session size). This means the skill can self-activate without explicit user request, potentially running --apply and modifying session files without clear user consent.

LOW References to undocumented SOUL_MIN/USER_MIN files -5

The SKILL.md instructs users to 'Combine with SOUL_MIN/USER_MIN files for maximum efficiency' without explaining what these are. In OpenClaw architecture, files named with these patterns may influence system prompt or user persona behavior, suggesting awareness of and integration with system-level instruction manipulation.

LOW AI-authored skill with external telemetry is elevated supply-chain risk -15

The skill is credited to 'JARVIS (AI Assistant)' managed by 'BeBoX'. AI-generated skills with built-in telemetry uploading to author-controlled infrastructure represent a supply-chain risk pattern: the code may be coherent and functional but the exfiltration channel (Google Sheets) is clearly intentional and survives skill updates.