asif2bd_openclaw-token-optimizer/SECURITY.md

# Security Documentation

This document provides detailed security analysis of the OpenClaw Token Optimizer skill.

## Purpose

This skill helps reduce OpenClaw API costs by optimizing context loading and model selection.

## Two-Part Architecture — Read This First

This skill has **two distinct categories of files** with different security profiles:

### Category 1: Executable Scripts (`scripts/*.py`)
These are the actual working components of the skill.
- **Network access:** None
- **External API keys:** None required
- **Code execution:** No eval/exec/compile
- **Data storage:** Local JSON files in `~/.openclaw/workspace/memory/` only
- **Verdict:** ✅ Safe to run

### Category 2: Reference Documentation (`references/PROVIDERS.md`, `assets/config-patches.json`)
These are informational guides describing optional multi-provider strategies.
- **Network access:** Described (not performed by these files)
- **External API keys:** Referenced as examples (`${OPENROUTER_API_KEY}`, `${TOGETHER_API_KEY}`)
- **Code execution:** None — these are JSON/Markdown documentation
- **Purpose:** Help users who *choose* to configure alternative providers (OpenRouter, Together.ai, etc.)
- **Verdict:** ✅ Safe files — but describe services that require external credentials if you choose to use them

**Why this matters:** Security scanners that flag API key patterns or external service references in documentation files are technically correct — those references exist. They are not executable, not auto-applied, and require explicit manual user action to use.

## Security Flag Explanation

**Why VirusTotal or AV tools may flag this skill:**

1. **API key patterns in config-patches.json** — `${OPENROUTER_API_KEY}`, `${TOGETHER_API_KEY}` are placeholder strings for optional manual configuration. They are not credentials and not automatically used.
2. **External URLs in PROVIDERS.md** — References to openrouter.ai, together.ai, etc. are documentation links, not network calls.
3. **"Optimizer" keyword + file operations** — Common AV heuristic false positive.
4. **Executable Python scripts with shebang** — Standard Python scripts, no dangerous operations.

These are documentation-level references, not executable network code.

## Shell Wrapper: optimize.sh

`scripts/optimize.sh` is a **convenience CLI wrapper** — it does nothing except call the bundled Python scripts in this same directory. It is not an installer, not a downloader, and makes no network calls.

**What it does (complete source):**
```bash
case "$1" in
    route|model)   python3 "$SCRIPT_DIR/model_router.py" "$@" ;;
    context)       python3 "$SCRIPT_DIR/context_optimizer.py" generate-agents ;;
    recommend)     python3 "$SCRIPT_DIR/context_optimizer.py" recommend "$2" ;;
    budget)        python3 "$SCRIPT_DIR/token_tracker.py" check ;;
    heartbeat)     cp "$SCRIPT_DIR/../assets/HEARTBEAT.template.md" ~/.openclaw/workspace/HEARTBEAT.md ;;
esac
```

**Security properties:**
- ✅ No network requests
- ✅ No system modifications
- ✅ No subprocess spawning beyond the Python scripts already bundled
- ✅ No eval, exec, or dynamic code execution
- ✅ Only calls scripts already in this package (same directory via `$SCRIPT_DIR`)
- ✅ Included in `.clawhubsafe` SHA256 manifest

**To verify before running:**
```bash
grep -E "curl|wget|nc |ncat|ssh|sudo|chmod|eval|exec\(" scripts/optimize.sh
# Should return nothing
```

**If you prefer not to use the shell wrapper:** use the Python scripts directly (all documented in SKILL.md). The wrapper is optional.

---

## Script-by-Script Security Analysis

### 1. context_optimizer.py

**Purpose**: Analyze prompts to determine minimal context requirements

**Operations**:
- Reads JSON state file from `~/.openclaw/workspace/memory/context-usage.json`
- Classifies prompt complexity (simple/medium/complex)
- Recommends which files to load
- Generates optimized AGENTS.md template
- Writes usage statistics to JSON

**Security**:
- ✅ No network requests
- ✅ No code execution (no eval, exec, compile)
- ✅ Only standard library imports: `json, re, pathlib, datetime`
- ✅ Read/write permissions limited to OpenClaw workspace
- ✅ No subprocess calls
- ✅ No system modifications

**Data Handling**:
- Stores: File access counts, last access timestamps
- Location: `~/.openclaw/workspace/memory/context-usage.json`
- Privacy: All data local, never transmitted

### 2. heartbeat_optimizer.py

**Purpose**: Optimize heartbeat check scheduling to reduce unnecessary API calls

**Operations**:
- Reads heartbeat state from `~/.openclaw/workspace/memory/heartbeat-state.json`
- Determines which checks are due based on intervals
- Records when checks were last performed
- Enforces quiet hours (23:00-08:00)

**Security**:
- ✅ No network requests
- ✅ No code execution
- ✅ Only standard library imports: `json, os, datetime, pathlib`
- ✅ Read/write limited to heartbeat state file
- ✅ No system commands

**Data Handling**:
- Stores: Last check timestamps, check intervals
- Location: `~/.openclaw/workspace/memory/heartbeat-state.json`
- Privacy: All local, no telemetry

### 3. model_router.py

**Purpose**: Suggest appropriate model based on task complexity to reduce costs

**Operations**:
- Analyzes prompt text
- Classifies task complexity
- Recommends cheapest appropriate model
- No state file (pure analysis)

**Security**:
- ✅ No network requests
- ✅ No code execution
- ✅ Only standard library imports: `json, re`
- ✅ No file writes
- ✅ Stateless operation

**Data Handling**:
- No data storage
- No external communication
- Pure text analysis

### 4. token_tracker.py

**Purpose**: Monitor token usage and enforce budgets

**Operations**:
- Reads budget configuration from `~/.openclaw/workspace/memory/token-budget.json`
- Tracks usage against limits
- Provides warnings and alerts
- Records daily/monthly usage

**Security**:
- ✅ No network requests
- ✅ No code execution
- ✅ Only standard library imports: `json, os, datetime, pathlib`
- ✅ Read/write limited to budget file
- ✅ No system access

**Data Handling**:
- Stores: Usage totals, budget limits, alert thresholds
- Location: `~/.openclaw/workspace/memory/token-budget.json`
- Privacy: Local only, no transmission

## Assets & References

### Assets (Templates & Config)

- `HEARTBEAT.template.md` - Markdown template for optimized heartbeat workflow
- `config-patches.json` - Suggested OpenClaw config optimizations
- `cronjob-model-guide.md` - Documentation for cron-based model routing

**Security**: Plain text/JSON files, no code execution

### References (Documentation)

- `PROVIDERS.md` - Multi-provider strategy documentation

**Security**: Plain text markdown, informational only

## Verification

### Check File Integrity

```bash
cd ~/.openclaw/skills/token-optimizer
sha256sum -c .clawhubsafe
```

### Audit Code Yourself

```bash
# Search for dangerous functions (should return nothing)
grep -r "eval(\|exec(\|__import__\|compile(\|subprocess\|os.system" scripts/

# Search for network operations (should return nothing)
grep -r "urllib\|requests\|http\|socket\|download\|fetch" scripts/

# Search for system modifications (should return nothing)  
grep -r "rm -rf\|sudo\|chmod 777\|chown" .
```

### Review Imports

All scripts use only Python standard library:
- `json` - JSON parsing
- `re` - Regular expressions for text analysis
- `pathlib` - File path handling
- `datetime` - Timestamp management
- `os` - Environment variables and path operations

No third-party libraries. No network libraries.

## Data Privacy

**What data is stored:**
- File access patterns (which files loaded when)
- Heartbeat check timestamps
- Token usage totals
- Budget configurations

**Where data is stored:**
- `~/.openclaw/workspace/memory/` (local filesystem only)

**What is NOT collected:**
- Prompt content
- User messages
- API keys
- Personal information
- System information
- Network data

**External communication:**
- None. Zero network requests.
- No telemetry
- No analytics
- No phone home

## Threat Model

**What this skill CAN do:**
- Read/write JSON files in OpenClaw workspace
- Analyze text for complexity classification
- Generate markdown templates
- Provide recommendations via stdout

**What this skill CANNOT do:**
- Execute arbitrary code
- Make network requests
- Modify system files outside workspace
- Access sensitive data
- Run system commands
- Spawn subprocesses

**Risk Level**: Minimal
- Operates entirely within OpenClaw sandbox
- No privileged operations
- No external dependencies
- Auditable source code

## Provenance & Source

This skill is maintained by **Asif2BD** (M Asif Rahman). All source code is publicly auditable:

- **GitHub repository:** https://github.com/Asif2BD/OpenClaw-Token-Optimizer
- **ClawHub listing:** https://clawhub.ai/Asif2BD/openclaw-token-optimizer
- **Author:** Asif2BD
- **License:** Apache 2.0

Every file in this skill bundle is listed in `.clawhubsafe` with its SHA256 checksum. Verify integrity at any time:
```bash
cd ~/.openclaw/skills/openclaw-token-optimizer
sha256sum -c .clawhubsafe
```

The README references the GitHub repo for users who want to review the source before installing. That link is informational — nothing in the skill auto-downloads from it.

---

## License & Attribution

- **License**: Apache 2.0
- **Author**: Asif2BD
- **Repository**: https://github.com/Asif2BD/openclaw-token-optimizer (if published)
- **ClawHub**: https://clawhub.ai/Asif2BD/openclaw-token-optimizer

## Reporting Security Issues

If you discover a security vulnerability:

1. **Do NOT open a public issue**
2. Contact: [via ClawHub or GitHub]
3. Include: Affected files, severity, reproduction steps

## Changelog

- **2026-02-12**: Added comprehensive security documentation
- **2026-02-07**: Initial release (v1.2.0)

## VirusTotal Status

**Current Status**: False positive by heuristic analysis

**Detection Reason**: Generic heuristics flagging "optimizer" keyword + file operations

**Actual Threat**: None

**Recommended Action**: Whitelist this skill or review source code yourself

---

**Bottom Line**: This skill is safe. It's a productivity tool that helps reduce API costs through intelligent context loading and model selection. All code is auditable, uses only standard Python libraries, and performs no dangerous operations.