per-agent-compression-universal Security Report — Low Risk | ClawSafe

15 /100

per-agent-compression-universal

Zero-config memory consolidation for multi-agent OpenClaw deployments. Auto-discovers agents and registers staggered cron tasks with full state tracking, deduplication, and domain-aware extraction.

Legitimate OpenClaw memory consolidation skill with minor documentation inconsistencies but no malicious behavior or hidden functionality.

Skill Nameper-agent-compression-universal

Duration77.7s

Enginepi

✓

Safe to install

Approve for use. No malicious behavior detected. Address minor version mismatch between SKILL.md and README.md headers before production release.

Findings 4 items

Severity	Finding	Location
Low	Version header mismatch Doc Mismatch SKILL.md frontmatter declares version '1.4.0' but the README.md Chinese section header at line 1 states '版本: 1.2.2'. This is a documentation inconsistency with no security impact. `版本: 1.2.2` → Synchronize all version headers across SKILL.md, README.md, skill.json, and CHANGELOG.md before release.	`README.md:1`
Low	Incomplete capability declarations in SKILL.md frontmatter Doc Mismatch The capability list in SKILL.md frontmatter only includes generic categories (memory-consolidation, workspace-isolation) and does not mention shell execution, DingTalk delivery, or interactive prompts. While these are documented in body text, the frontmatter declaration is incomplete. `capabilities: [memory-consolidation, workspace-isolation, agent-auto-discovery, state-persistence, deduplication]` → Add explicit capability declarations for 'shell-execution', 'notification-delivery', and 'interactive-prompt' to the frontmatter capabilities list for full transparency.	`SKILL.md:1`
Low	No dependency pinning for binaries Supply Chain The skill uses shell scripts with no version pins for external binaries (jq, git, curl). While skill.json declares openclaw and jq as binary dependencies, it does not specify minimum or exact versions. No pip/npm/Cargo dependencies are present. `"binaries": ["openclaw", "jq"]` → Add version constraints to skill.json, e.g., 'jq': '>=1.6', and note OpenClaw minimum version already declared as '>=2026.3.8'.	`skill.json:1`
Info	Interactive prompt security note Doc Mismatch install.sh prompts for DELIVERY_TO interactively if not provided as a CLI arg. The recipient ID (DingTalk user/bot) is read from stdin and embedded in cron task messages. This is expected behavior for a legitimate notification skill, not a credential theft risk. `read -p "Enter recipient ID (--to): " input_to` → Document clearly that DELIVERY_TO is a notification target ID, not a secret. Consider adding a confirmation prompt to reassure users.	`install.sh:33`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	install.sh:line 45 — 'openclaw cron add' with subprocess shell
Filesystem	`NONE`	`WRITE`	✓ Aligned	install.sh copies to /root/.openclaw/skills/; skill.json workspace file writes a…
Network	`NONE`	`READ`	✓ Aligned	scripts/release.sh:176 fetches https://clawhub.com; SKILL.md:line 1 frontmatter …
Skill Invoke	`NONE`	`WRITE`	✓ Aligned	install.sh:line 93 — 'openclaw cron add --agent $agent_id' creates autonomous cr…

1 findings

🔗

Medium External URL 外部 URL

https://clawhub.com

scripts/release.sh:176

File Tree

11 files · 95.3 KB · 2331 lines

Markdown 5f · 1590L Shell 5f · 714L JSON 1f · 27L

├─ ▾ 📁 scripts

│ ├─ 🔧 release.sh Shell 334L · 11.1 KB

│ └─ 🔧 validate-bilingual.sh Shell 84L · 2.3 KB

├─ 📝 CHANGELOG.md Markdown 476L · 25.0 KB

├─ 🔧 install.sh Shell 195L · 11.2 KB

├─ 🔧 publish-github-release.sh Shell 77L · 2.7 KB

├─ 📝 README.md Markdown 676L · 26.5 KB

├─ 📝 SKILL_RELEASE_SOP.md Markdown 278L · 9.2 KB

├─ 📋 skill.json JSON 27L · 1.0 KB

├─ 📝 skill.md Markdown 58L · 2.6 KB

├─ 📝 SKILL.md Markdown 102L · 3.0 KB

└─ 🔧 uninstall.sh Shell 24L · 681 B

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`openclaw`	`>=2026.3.8`	system binary	No	Declared in skill.json; version constraint provided
`jq`	`*`	system binary	No	Declared in skill.json but no version constraint
`git`	`*`	system binary	No	Used in scripts/release.sh; not declared in skill.json

Security Positives

✓ No obfuscation detected — no base64, no eval(), no atob(), no obfuscated strings anywhere

✓ No hardcoded credentials, tokens, or API keys in any file

✓ No remote code execution via curl|bash or wget|sh patterns

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

✓ No reverse shell, C2 communication, or data exfiltration patterns

✓ Security scan in release.sh checks for hardcoded credentials, long numeric IDs, and config leakage

✓ DingTalk recipient ID is a CLI parameter (--to), not hardcoded — legitimate design

✓ CRITICAL PRIVACY REMEDIATION release (v1.3.2) explicitly addressed prior CHANGELOG sensitive reference leakage

✓ All shell operations are documented OpenClaw CLI tools (openclaw agents list, openclaw cron add/edit/delete, git, jq)

✓ Per-agent execution isolation confirmed — each cron task runs under its respective agent with minimal blast radius

✓ No suspicious external IPs or domains besides known clawhub.com (for publishing)

Scan Report

Findings 4 items

File Tree

Dependencies 3 items

Security Positives