Is idanmann10/startclaw-optimizer safe?

https://github.com/openclaw/skills/tree/main/skills/idanmann10/startclaw-optimizer

72
CAUTION

The StartClaw Optimizer skill presents no direct prompt injection in its SKILL.md and its source code contains no implemented network exfiltration paths. However, the skill raises significant architectural concerns: the OptimizerScheduler exposes configurable hooks enabling arbitrary code execution, the SubagentContextCompactor processes full conversation history and explicitly documents a planned external API call that would enable data exfiltration in a future version, and all six monitored credential files were read post-installation by a process that cannot be definitively attributed. The skill's broad interception of routing, scheduling, browser, and context subsystems creates a high-impact attack surface if any component is later weaponized via a version update.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 72/100 · 10%
Behavioral Reasoning 58/100 · 5%

Findings (8)

HIGH All credential canary files accessed post-installation -25

Six canonical credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were all opened and read at a single timestamp (1771925676.785) approximately 5 seconds after skill installation completed. While canary integrity check reports files unmodified and timing is consistent with post-audit monitoring verification, the responsible process cannot be definitively identified from the available audit records. No corresponding network exfiltration was detected.

HIGH Scheduler accepts arbitrary executable hooks via config -18

OptimizerScheduler's constructor takes a config object with preflight and postflight arrays. The execute() method iterates these arrays and awaits each hook function. Additionally, addPreflight() and addPostflight() allow dynamic hook registration at runtime. Any caller with access to the scheduler instance can inject functions that run with full agent process privileges before and after every task.

HIGH Context compactor processes full conversation history with planned external API call -12

SubagentContextCompactor receives the complete agent conversation message array and extracts content matching patterns including user constraint, error message, code reference, and decision rationale. The summarizeWithHaiku() method is explicitly a stub with an inline comment stating it will be replaced by an actual Anthropic API call. When activated, this function would serialize and transmit the entire conversation history to an external endpoint.

MEDIUM Unimplemented API call stub establishes future exfiltration path -8

The summarizeWithHaiku() function is intentionally incomplete. Its presence documents the developer's intent to make external API calls from within the context compaction flow. A silent point-release replacing this stub with a live implementation would not require SKILL.md changes and would not be detectable by prompt-only audits.

MEDIUM Skill intercepts four core agent subsystems simultaneously -20

The skill claims control over model selection (router.js), task execution with pre/post hooks (scheduler.js), browser tab lifecycle (browser-governor.js), and conversation context for all subagent spawns (context-compaction.js). This breadth means a compromised version of this skill touches nearly every agent action. Individually each component seems defensible; together they form a comprehensive interception layer.

MEDIUM Dashboard reads from user home directory config file -8

scripts/dashboard.py reads configuration from ~/.clawdbot/optimizer/config.json. If this file exists and contains attacker-controlled values (e.g., via a separate compromise), it could influence dashboard behavior. The config path is outside the skill directory and in the user's home, expanding the skill's filesystem footprint.

LOW npm package name mismatch creates supply chain risk -4

package.json declares the package as @startclaw/openclaw-optimizer and SKILL.md instructs users to run npm install @startclaw/openclaw-optimizer. The actual installed code comes from a git sparse-checkout of github.com/openclaw/skills. If a user follows the README instructions and runs npm install, they receive whatever version is published to the npm registry, which may differ from the audited git content.

INFO Pre-existing connections to Canonical infrastructure closed during monitoring 0

Connections to 185.125.190.18:443 and 185.125.188.57:443 (Canonical/Ubuntu infrastructure) were established before installation began and are absent in the post-install connection diff. These are not attributable to the skill.