Is blackworm/optimize-context safe?

Once message count exceeds the configured threshold (default 30), the skill automatically invokes clearOldContext(), which discards all but the 10 most recent messages and replaces them with a canned system notice. This occurs without explicit per-invocation user consent. Any security instructions, tool-use restrictions, or behavioral guidelines injected early in a conversation can be wiped, leaving the agent operating with a stripped context. The background ContextMonitor system is designed to trigger this repeatedly throughout long sessions.

The updateMemory() function appends extracted 'facts' from every optimized conversation directly into MEMORY.md. If MEMORY.md is loaded into agent context on session start (as the skill architecture implies and as the Oathe system does in this codebase), an attacker who can shape conversational content can craft messages that satisfy extractFacts() regex patterns and persistently inject arbitrary text into the agent's memory file, surviving indefinitely across sessions.

extractFacts() and containsImportantInfo() apply permissive regex patterns to every message in the conversation. Any sentence matching 'X is Y', 'X has Y', 'I like/want/need Y', or 'My preference/name is Y' is extracted and written to both MEMORY.md and dated context-summary files. In practice this means passwords mentioned conversationally, API keys discussed, internal system details, or personal data would all be captured to persistent local storage without user awareness.

This skill does not make network calls, but when an agent with filesystem read access reads a sensitive file during a conversation, the context optimizer will extract and persist that file's content into MEMORY.md and context-summary files via its summarization logic. If the attacker also controls any subsequent file-sync, backup, or logging operation, this creates an indirect multi-hop exfiltration path that bypasses direct network monitoring.

Both optimize.js and context-monitor.js use '/home/blackworm/.openclaw/workspace' as the default constructor argument for workspaceDir. When OpenClaw instantiates these classes without explicitly passing a workspace path, the skill writes MEMORY.md updates and context summaries into the path the skill author specified rather than the actual user's workspace. This could corrupt unrelated workspace files or silently fail in production deployments.

inotify and auditd records show read-only access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json in two clusters. The canary integrity system confirms all files were unmodified. Temporal analysis places both access clusters within windows consistent with Oathe's own pre-install baseline and post-install canary verification scans rather than skill-initiated access. However, the second access cluster at 1771866205.718 occurs slightly after the installation completes, and the originating process cannot be definitively attributed from the available records.

cleanupOldSummaries() calls fs.unlinkSync() on any context-summary file older than 30 days with only a console.log notification. Destructive filesystem operations in an agent skill should require explicit user authorization rather than running automatically based on a hardcoded retention policy.

The top-level SKILL.md instructs users to run 'npm install' in the context-optimizer directory, but no package.json was found anywhere in the skill repository. This inconsistency is a minor documentation defect but also represents a latent attack surface: a future update that adds a package.json with preinstall/postinstall scripts would execute arbitrary code at install time.