context-monitor Security Report — Low Risk | ClawSafe

20 /100

context-monitor

Hook that monitors context usage and auto-compresses old session memories when usage exceeds threshold

A legitimate context management hook that compresses old session memories, with minor documentation gaps around shell execution disclosure.

Skill Namecontext-monitor

Duration40.5s

Enginepi

✓

Safe to install

Add explicit declaration of git subprocess usage in SKILL.md frontmatter and ensure skill name consistency across files.

Findings 3 items

Severity	Finding	Location
Medium	Undeclared shell execution via execSync Doc Mismatch handler.ts uses child_process.execSync to run 'git add' and 'git commit' commands, but _meta.json only declares 'node' and 'git' as required bins without explicitly noting shell execution capability. execSync(`cd ${workspaceDir} && git add -A`, { stdio: 'pipe' }); → Add 'shell:WRITE' to declared capabilities in _meta.json if this framework supports it, or document the git execution in SKILL.md features section.	`handler.ts:130`
Low	Inconsistent skill naming across files Doc Mismatch SKILL.md declares name='context-shrink' while _meta.json and HOOK.md both use 'context-monitor'. This creates ambiguity about the actual skill identity. `name: context-shrink` → Standardize skill name to 'context-monitor' across all metadata files.	`SKILL.md:2`
Low	Hardcoded remote model reference Doc Mismatch COMPRESSION_MODEL references 'ollama-remote/qwen2.5:0.5b' but this external dependency is not declared in SKILL.md or _meta.json. `const COMPRESSION_MODEL = 'ollama-remote/qwen2.5:0.5b';` → Document the compression model dependency in SKILL.md Configuration section.	`handler.ts:25`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	handler.ts:119 - fs.writeFileSync
Filesystem	`NONE`	`READ`	✓ Aligned	handler.ts:98 - fs.readFileSync
Shell	`NONE`	`WRITE`	✓ Aligned	handler.ts:130-132 - execSync git commands
Environment	`NONE`	`READ`	✓ Aligned	handler.ts:43 - process.env.HOME
Network	`NONE`	`NONE`	—	N/A - no network access
Clipboard	`NONE`	`NONE`	—	N/A
Browser	`NONE`	`NONE`	—	N/A
Database	`NONE`	`NONE`	—	N/A
Skill Invoke	`NONE`	`NONE`	—	N/A

4 files · 11.3 KB · 362 lines

TypeScript 1f · 188L Markdown 2f · 155L JSON 1f · 19L

├─ 📜 handler.ts TypeScript 188L · 7.3 KB

├─ 📝 HOOK.md Markdown 119L · 2.7 KB

├─ 📋 package.json JSON 19L · 380 B

└─ 📝 SKILL.md Markdown 36L · 930 B

Package	Version	Source	Known Vulns	Notes
`node (system)`	`N/A`	system binary	No	Required runtime, declared in _meta.json
`git (system)`	`N/A`	system binary	No	Required for commit operations, declared in _meta.json

✓ No credential theft - does not iterate os.environ or access ~/.ssh, ~/.aws, .env files

✓ No network exfiltration - makes no outbound HTTP requests or data POSTs

✓ No obfuscation - code is readable TypeScript with clear logic flow

✓ Git operations are scoped to workspaceDir only, limiting blast radius

✓ execSync uses stdio:'pipe' to prevent command injection via user-controlled paths

✓ Filesystem writes are limited to MEMORY.md in the workspace, not system paths

✓ No reverse shell, C2, or reverse engineering indicators detected

✓ Legitimate use case: context management is a valid hook functionality