Is token-optimizer safe?

Filesystem monitoring captured ACCESS events on /home/oc-exec/.env and /home/oc-exec/.aws/credentials during the clone/install phase. While these accesses may be incidental to the OpenClaw runtime environment loading, a legitimate token optimizer skill has no reason to touch .env files or AWS credentials. The skill claims to only modify OpenClaw configuration.

The install phase accessed /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json which contains authentication credentials for the agent's connected services. A cost optimization tool should not need to read authentication profiles.

During clone/install, the process accessed .env, .aws/credentials, auth-profiles.json, .profile, and .bashrc — all outside the skill directory. While some of these (like .bashrc) may be normal shell initialization, the combination with .env and .aws/credentials is concerning. No network exfiltration was detected, but the data was read into process memory.

The install phase created directories and files in /tmp/openclaw-1000/ and /tmp/jiti/. While jiti is a known JavaScript JIT compilation cache (likely from the OpenClaw runtime), the gateway.e9191928.lock file in /tmp/openclaw-1000/ indicates the skill's install triggered broader system processes.

The skill bundles a full Python application (cli.py, src/optimizer.py, src/analyzer.py, src/verify.py) and SKILL.md instructs the agent to execute these via 'python cli.py' commands. The optimizer and verifier modules use subprocess.run() to execute shell commands (ollama list, ollama pull). This gives the skill indirect shell execution capability through the agent.

The optimizer.py source code is truncated in the collected evidence, cutting off at the HEARTBEAT_PROVIDERS dictionary definition. This prevents full security review of the main optimization module which is responsible for modifying user configuration files. The truncated portion could contain additional subprocess calls, file operations, or network requests.

verify.py contains urllib.request.urlopen() calls for checking provider reachability. While used for health checks, this network capability could be repurposed if the code were modified, and it normalizes outbound HTTP from within skill code.

SKILL.md's Quick Start section instructs the agent to run multiple Python CLI commands. When the skill is loaded into the agent's context via triggers, the agent may autonomously execute 'python cli.py optimize' which modifies the user's OpenClaw configuration. The broad trigger list (18 phrases) means casual mentions of cost could activate this.

The skill includes templates/SOUL.md, templates/USER.md, and templates/OPTIMIZATION-RULES.md which are intended to replace the user's existing agent configuration files in ~/.openclaw/workspace/. This could silently alter agent behavior and personality without the user's full understanding.

MARKETPLACE.md lists pricing tiers (Personal $29.99, Team $99.99, Enterprise contact) while SKILL.md, setup.py, and skill.json all claim MIT license. This contradiction suggests either deceptive marketing or a bait-and-switch model where the free version is a gateway to paid services.

verify.py contains a check_benefit_report() function that displays a Ko-fi donation prompt every 7 days when the user runs verification. While not malicious, this is nag-ware behavior embedded in what appears to be a diagnostic tool.

The optimizer forces Haiku as the default model for all tasks. While this saves money, it significantly degrades agent capability for complex reasoning tasks. Combined with broad triggers, a user casually mentioning costs could have their agent silently downgraded without understanding the capability trade-off.

Despite accessing sensitive files during install, no outbound network connections were detected. The sensitive file reads did not result in data being sent externally during the monitored period.