token-optimizer

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill mentions external services like OpenRouter, Anthropic, and Together.ai in its documentation (PROVIDERS.md and config-patches.json). These are informational references for multi-provider strategies and do not involve automated downloads or network calls by the skill itself.
  • [DATA_EXFILTRATION]: All scripts (context_optimizer.py, heartbeat_optimizer.py, model_router.py, and token_tracker.py) operate entirely on the local filesystem. They read and write state files to the designated OpenClaw workspace memory directory (~/.openclaw/workspace/memory/) and perform no network exfiltration.
  • [COMMAND_EXECUTION]: The script 'optimize.sh' is a simple bash wrapper that delegates commands to the bundled Python scripts. It does not spawn dangerous subprocesses or execute arbitrary strings.
  • [CREDENTIALS_UNSAFE]: The configuration patches and documentation use placeholder strings like '${OPENROUTER_API_KEY}' for illustrative purposes. No hardcoded secrets or sensitive credentials were found in the skill package.
  • [REMOTE_CODE_EXECUTION]: All Python scripts rely solely on the Python standard library (json, re, pathlib, datetime, os). No third-party dependencies are required or installed at runtime, and no remote code execution patterns were detected.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 08:32 AM
Security Audit — agent-trust-hub — token-optimizer