Is openclaw-agent-optimize safe?

https://clawhub.ai/phenomenoner/openclaw-agent-optimize

82
SAFE

This is a legitimate advisory skill for optimizing OpenClaw agent configurations. It contains no executable code, no data exfiltration vectors, and no malicious prompt injection. The primary concerns are: (1) a recommendation to install an external unaudited package (openclaw-mem) from the same author, (2) behavioral directives that could reduce monitoring coverage if users approve changes without understanding trade-offs, and (3) combinatorial risk if paired with a malicious skill that bypasses user approval gates. The skill's explicit safety contract and user-gated execution model significantly mitigate these risks.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 78/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

MEDIUM External software installation recommendation -15

The heartbeat-optimization reference recommends installing openclaw-mem from https://github.com/phenomenoner/openclaw-mem. While presented as optional, an agent following this skill could propose installing unaudited external software. This creates a supply-chain trust dependency on the same author.

LOW Behavioral directives that reduce monitoring -8

The skill instructs agents to disable native heartbeat monitoring and replace it with less frequent cron-based alternatives. While framed as cost optimization with user approval gates, this pattern could reduce an agent's self-monitoring capability. The safety contract mitigates this by requiring user choice between profiles A/B/C.

LOW Strong directive language shapes agent behavior -5

The SKILL.md uses imperative phrasing ('must follow', 'Never mutate', 'Never create/update/remove') that overrides default agent behavior. These directives are safety-oriented (preventing unauthorized mutations), but the pattern demonstrates how a skill can commandeer agent decision-making via prompt injection-adjacent techniques.

INFO Platform reads sensitive files during installation -12

The OpenClaw platform (not the skill itself) read .env, .aws/credentials, and auth-profiles.json during the installation process. This is standard platform initialization behavior and not attributable to the skill, but users should be aware that the installation environment accesses these files.

INFO JIT compilation artifacts created in /tmp -10

Multiple .cjs files were compiled under /tmp/jiti/ during installation. These are OpenClaw platform JIT-compiled modules (memory-core, plugin-sdk, channels-registry, etc.) and are standard platform behavior, not skill-initiated code execution.

LOW Combinatorial risk with other skills -20

The optimization skill recommends disabling monitoring features and reducing alert frequency. If a separate malicious skill were installed that auto-approves changes or suppresses user prompts, this skill's recommendations could be weaponized to create monitoring blind spots. The skill itself is not malicious, but its advice creates a larger attack surface when combined with untrusted skills.

INFO Well-structured safety contract -5

The skill includes an explicit safety contract requiring user approval for all persistent changes, rollback plans before modifications, and profile-based options when reducing coverage. This is stronger safety hygiene than most skills.