← Back to Skills Marketplace
126
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install session-compact-skill
Description
Intelligent session compression plugin for OpenClaw that automatically manages token consumption and supports unlimited-length conversations. Compresses hist...
Usage Guidance
This package appears to implement the session-compaction feature it advertises, but there are a few red flags to check before installing:
- Packaging mismatch: the registry lists no install spec, yet the bundle contains a buildable code plugin (TypeScript, bin script, openclaw.plugin.json). Confirm whether you intend to run the code plugin (it requires building and copying into ~/.openclaw/extensions).
- Exec/CLI LLM calls: the implementation notes use of execSync to call the OpenClaw CLI for LLM summaries. That is convenient but increases risk (shell invocation, reliance on host CLI config). Inspect the built dist/index.js (or source) for exec/child_process usage and ensure arguments are properly escaped or, ideally, prefer a direct API integration.
- File writes & config edits: the plugin will persist JSON sessions under ~/.openclaw/sessions and expects changes to ~/.openclaw/openclaw.json. Back up your OpenClaw config and existing sessions before enabling.
- Source provenance: the package lists no homepage and the repository URLs in docs point to GitHub placeholders. If you plan to install, verify the source repository, review the built JS to ensure no hidden network calls or obfuscated code, and prefer installing via the official ClawHub/marketplace rather than manual cloning when possible.
- Inconsistent docs: different files claim different coverage/version numbers and at least one doc notes the plugin previously triggered platform security intercepts (execSync usage). Treat these as signs to audit the code rather than immediate red flags.
If you are not comfortable auditing the code yourself, ask the maintainer for a signed release on the official registry (ClawHub) or request an upstream review that addresses the execSync usage and clarifies packaging/installation instructions.
Capability Analysis
Type: OpenClaw Skill
Name: session-compact-skill
Version: 1.2.1
The skill bundle contains a high-risk shell injection vulnerability in 'src/compact/engine.ts'. The 'callLLM' function uses 'execSync' to execute a constructed shell command that includes conversation content. While it attempts to escape double quotes and backslashes, it fails to sanitize other shell metacharacters (e.g., backticks, dollar signs, or pipes), potentially allowing for arbitrary command execution if the agent processes malicious input. Although the extensive documentation and 163 test cases suggest the intent is a legitimate session management tool, the unsafe implementation of CLI integration poses a significant security risk.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description align with the code and docs: the repo contains a compaction engine, session store, session manager, CLI registration, and an openclaw.plugin.json. However there is a packaging mismatch: registry metadata lists this as an instruction-only skill (no install spec), yet the bundle contains a fully fledged code plugin (TypeScript source, bin script, plugin manifest, package.json). That is explainable (workspace skill + accompanying plugin code) but it is an inconsistency the user should be aware of.
Instruction Scope
SKILL.md and other docs instruct only relevant actions: install/build the plugin, add the plugin id to ~/.openclaw/openclaw.json, restart the gateway, and use openclaw CLI commands. The runtime behavior described (storing sessions under ~/.openclaw/sessions, reading plugin config, compressing messages, fallback to code extraction) is consistent with the code layout. There are no instructions that request unrelated system data or to post data to unknown external endpoints in the provided docs.
Install Mechanism
No formal install spec was included in the registry entry (declared 'instruction-only'), but documentation and package files provide manual install steps (git clone, npm install, build, copy to ~/.openclaw/extensions). The sources are typical (npm/TypeScript project) and there are no opaque download URLs in the provided docs. Still: the mismatch between 'no install spec' and the presence of buildable code is a packaging/documentation inconsistency to check.
Credentials
The skill declares no required env vars or credentials (consistent). The implementation calls the OpenClaw CLI/engine (docs and comments indicate callLLM() currently invokes OpenClaw via execSync), which relies on the host's OpenClaw configuration rather than new secrets. This is proportionate to the stated purpose, but the execSync / CLI-based LLM call means the plugin depends on the host OpenClaw runtime and any credentials it uses — verify that you trust that local configuration.
Persistence & Privilege
The plugin persists session data to ~/.openclaw/sessions and expects edits to ~/.openclaw/openclaw.json to enable the plugin/CLI. That level of access is expected for a session-management plugin. The skill does not request global 'always: true' privilege and does not appear to modify other skills' credentials or configs beyond adding itself to plugins.allow (normal for plugins).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install session-compact-skill - After installation, invoke the skill by name or use
/session-compact-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.1
v1.2.1: Fixed config persistence, 163 tests, updated deps to openclaw 2026.4.9, synced with code plugin
v1.1.0
Add cross-session memory, pre-compaction protection (WAL protocol), context recovery, working buffer, and daily memory archive
v1.0.0
Initial release: Intelligent session compression skill for OpenClaw
Metadata
Frequently Asked Questions
What is Session Compact?
Intelligent session compression plugin for OpenClaw that automatically manages token consumption and supports unlimited-length conversations. Compresses hist... It is an AI Agent Skill for Claude Code / OpenClaw, with 126 downloads so far.
How do I install Session Compact?
Run "/install session-compact-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Session Compact free?
Yes, Session Compact is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Session Compact support?
Session Compact is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Session Compact?
It is built and maintained by deep-claw (@sdc-creator); the current version is v1.2.1.
More Skills