token-optimizer

The Token Optimizer appears to be a locally-scoped configuration tool designed to reduce cost by adjusting model routing, heartbeats, caching, and prompts within OpenClaw. Its stated purpose aligns with enabling cost reductions and system health checks, and most of its actions are confined to local configuration and provider-directed behavior. However, there is a notable risk associated with the installation path (clawhub install token-optimizer), which indicates an unverifiable binary/CLI source rather than an official registry. This creates a supply-chain risk and warrants a securityRisk rating in the high-moderate range. The data flow is primarily local with potential external provider interactions during normal operation, which should be validated in runtime to ensure no unintended data exfiltration. Given the unverifiable install path and potential for credential exposure if provider keys are stored in config, the overall risk is MEDIUM-HIGH. Treat as SUSPICIOUS/MODERATE risk until provenance and verification of the install source are confirmed, at which point the risk could be downgraded to BENIGN.