ClawAudit verdict
oot
Token cost optimization toolkit with local-only Python scripts for context optimization and model routing; the skill metadata explicitly states scripts have no network requests, no subprocess calls, and local-only data, consistent with what the content shows.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Permission integrity
agent_memory
Findings (12)
Pipe-to-shell pattern (curl | sh) — supply chain attack vector
README.md · code · curl -fsSL https://raw.githubusercontent.com/rtk-ai/rtk/refs/heads/master/instal
Pipe to sh — executes piped content as shell commands
README.md · code · | sh
Possible hardcoded credential
references/PROVIDERS.md · code · API_KEY="sk-ant-...
Uses eval() — can execute arbitrary code
SECURITY.md · code · eval(
subprocess execution — runs system commands from Python
SKILL.md · code · subprocess.run(
References sudo — requests elevated privileges
SECURITY.md · code · sudo
Uses exec() — may execute shell commands
SECURITY.md · code · exec(
References agent memory files
SKILL.md · code · MEMORY.md
Popular HTTP library — network access
SKILL.md · code · got
Accesses OpenClaw config/secrets directly
docs/RESEARCH-NOTES.md · prose · downgraded · ~/.openclaw/openclaw.json
Sets world-executable permissions
SECURITY.md · code · chmod 777
Python os.environ.get — reads environment variable
scripts/model_router.py · prose · downgraded · os.environ.get(
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class A/B/D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
agent_memoryprocess_exec Is this flag fair?
Thanks — recorded.