agent-optimize Security Report — Low Risk | ClawSafe

15 /100

agent-optimize

Agent optimization diagnostic skill - analyzes OpenClaw status, identifies context bloat, skill noise, memory redundancy, and config conflicts

Agent optimization diagnostic tool with legitimate functionality. Reads .env files for config analysis but does not exfiltrate credentials. Minor documentation gaps regarding credential-adjacent file access.

Skill Nameagent-optimize

Duration42.5s

Enginepi

✓

Safe to install

This skill is safe for use. Consider clarifying in documentation that .env files are read only for key name analysis, not value extraction. The hardcoded admin path '/home/admin/.npm-global' should be parameterized.

Findings 2 items

Severity	Finding	Location
Low	.env file access not explicitly documented Doc Mismatch The diagnoseConfig() function reads .env files (line 237) but SKILL.md capabilities section only mentions 'skill-configs, session-logs, memory-files' for analyze. While filesystem:READ covers this, explicit documentation would improve transparency. `path.join(PATHS.workspace, '.env')` → Add '.env' to the declared analyze paths or explicitly document env file reading in SKILL.md	`src/index.js:237`
Low	Hardcoded admin user path Sensitive Access PATHS.npmGlobal uses a hardcoded '/home/admin/.npm-global' path instead of dynamically resolving the user's home directory. This is unusual and could indicate developer oversight or testing artifact. `npmGlobal: '/home/admin/.npm-global/lib/node_modules/openclaw'` → Replace with path.join(os.homedir(), '.npm-global/lib/node_modules/openclaw') or require OPENCLAW_HOME to be set	`src/index.js:24`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	src/index.js:46-49 reads ~/.openclaw/ and workspace/
Shell	`WRITE`	`WRITE`	✓ Aligned	src/index.js:58-62 uses execSync for find, grep, wc, du, ps, pgrep as declared
Network	`NONE`	`NONE`	—	No network calls found in src/index.js
Environment	`NONE`	`READ`	✓ Aligned	src/index.js:14-19 reads OPTIMIZE_* env vars but does not exfiltrate

3 findings

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/performance

SKILL.md:503

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/context-management

SKILL.md:504

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/skill-optimization

SKILL.md:505

File Tree

3 files · 27.9 KB · 1122 lines

Markdown 2f · 603L JavaScript 1f · 519L

├─ ▾ 📁 src

│ └─ 📜 index.js JavaScript 519L · 15.5 KB

├─ 📝 README.md Markdown 91L · 1.9 KB

└─ 📝 SKILL.md Markdown 512L · 10.5 KB

Security Positives

✓ No network requests or data exfiltration detected

✓ No obfuscation (no base64, eval, or anti-analysis patterns)

✓ No credential harvesting or value extraction from .env files

✓ Shell commands limited to declared safe tools (find, grep, wc, du, ps, pgrep, df)

✓ Code is readable and auditable (519 lines, no obfuscation)

✓ No remote script execution (curl|bash, wget|sh)

✓ No supply chain risks detected (no package.json, no external dependencies beyond Node.js built-ins)

Scan Report

Findings 2 items

File Tree

Security Positives