← 返回 Skills 市场

Overkill Token Optimizer

Name: Overkill Token Optimizer
Author: broedkrummen

作者 Broedkrummen · GitHub ↗ · v1.0.3

cross-platform ⚠ suspicious

455

总下载

当前安装

版本数

在 OpenClaw 中安装

/install broedkrummen-overkill-token-optimizer

功能描述

Optimize and manage session tokens for workspace memory with commands to check usage, reset, index, search, and compress tokens.

使用说明 (SKILL.md)

Overkill Token Optimizer

Token optimization for OpenClaw agents. Reduces token usage through CLI compression, session management, and memory optimization.

Prerequisites

Required: oktk CLI must be installed manually:

npm install -g oktk

Or see: https://github.com/satnamra/oktk

Features

Token stats - View session token usage
Session indexing - Index old sessions for search
Hybrid search - Semantic + keyword search
CLI compression - Compress command outputs (requires oktk)

CLI Commands

# Show token usage statistics
token-optimizer stats

# Check optimization level
token-optimizer check

# Index sessions for search
token-optimizer index

# Search sessions (use --hybrid for semantic+keyword)
token-optimizer search "query" --hybrid

# Compress command output (requires oktk)
token-optimizer compress git status

Configuration

Set custom oktk path:

export OKTK_BIN=/path/to/oktk

Storage

Session index: ~/.openclaw/workspace-memory-builder/.session_index/

Overkill Token Optimizer v1.0.3

安全使用建议

This skill appears to do what it says (operate on local session files and call a compression/indexing CLI), but there are several red flags you should consider before installing or running it: - Do NOT run curl -sSL https://get.oktk.io | sh or any unattended install script without inspecting its contents first. The package includes a FRAMEWORK.md that suggests that script — treat it as untrusted until you review it. - Review the oktk project's source (the repo referenced in SKILL.md) and its npm package to ensure it's legitimate and that you trust running it on your machine. - The CLI will read your session files under ~/.openclaw/workspace-memory-builder/memory/*.md and will write an index under ~/.openclaw/workspace-memory-builder/.session_index/. If these files contain sensitive data, be aware the tool accesses them (this is expected for a token optimizer). - The included Python CLI has several issues/typos (a malformed import block, duplicated constants, and user-facing typos like "oktl" and a wrong npm install message) which suggest the code hasn't been well-tested. Expect runtime errors; inspect/execute the code in a safe environment (container/VM) first. - Because compress/index operations invoke external binaries and may run arbitrary commands (via oktk), avoid giving the agent automatic/autonomous permission to call these commands, or restrict usage until you've verified behavior. If you want to proceed: inspect the code locally, audit the oktk installer and package, run the tool in an isolated environment first, and back up any session data before running reset/confirm operations.

功能分析

Type: OpenClaw Skill Name: broedkrummen-overkill-token-optimizer Version: 1.0.3 The skill is classified as suspicious due to a critical Remote Code Execution (RCE) vulnerability. The `cli.py` script executes an external `oktk` binary, whose path is determined by the `OKTK_BIN` environment variable (defined in `config.py`). If an attacker can control this environment variable (e.g., by setting `OKTK_BIN=/bin/sh`), they can execute arbitrary commands via the `token-optimizer compress <command>` functionality, as the user-supplied `<command>` is passed directly to the `subprocess.run` call. While the skill's stated purpose is benign, this vulnerability allows for unauthorized command execution.

能力评估

ℹ Purpose & Capability

The name/description match the behavior: the code and docs operate on local workspace session files (~/.openclaw/workspace-memory-builder) and call an external oktk CLI to compress CLI output and index/search sessions. _meta.json and SKILL.md both reference npm/oktk which is consistent with the stated purpose.

ℹ Instruction Scope

SKILL.md instructs only local operations (indexing, searching, compressing, resetting sessions) and to install the oktk CLI. The code reads session files and writes an index under the stated storage path, which is expected. However FRAMEWORK.md (bundled in the package) also suggests running an external curl install (curl -sSL https://get.oktk.io | sh) — that is not in the main SKILL.md but is included and raises risk because it instructs running a remote install script. The CLI will run user-supplied commands (via the compress command) through oktk, which is expected functionality but means you should be cautious about what commands are passed or allowed to run automatically.

⚠ Install Mechanism

There is no formal install spec for the skill (instruction-only), but both SKILL.md and FRAMEWORK.md tell the user to install oktk. FRAMEWORK.md recommends running a curl-get script (get.oktk.io) which is higher-risk than installing from a known vetted release; the SKILL.md suggests npm install -g oktk (safer if package is legitimate). Because the skill relies on a third-party CLI that would be installed from the network, you should review the oktk project and any install scripts before running them.

✓ Credentials

The skill does not request secrets or credentials; the only configurable environment variable is OKTK_BIN (path to the oktk binary). That is proportionate to a tool that wraps a local CLI. _meta.json lists required_binaries including npm and oktk which aligns with the need to install oktk.

✓ Persistence & Privilege

The skill is not marked always:true and does not request system-wide config changes. It reads/writes only to its own workspace directory under the user's home (~/.openclaw/...), which is expected for a token optimizer. The default ability for the model to invoke the skill autonomously is present but not combined with other high-risk privileges in this package.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install broedkrummen-overkill-token-optimizer
安装完成后，直接呼叫该 Skill 的名称或使用 /broedkrummen-overkill-token-optimizer 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.3

v1.0.3 - Fixed warnings: manual oktk install, declared npm dependency, removed auto-install

v1.0.2

v1.0.2 - Auto-install oktk if not found

v1.0.1

v1.0.1 - Token optimizer CLI with stats, check, reset, index, search, compress

元数据

Slug broedkrummen-overkill-token-optimizer

版本 1.0.3

许可证 —

累计安装 0

当前安装数 0

历史版本数 3

常见问题