Problem #1: Token Costs Spiral Out of Control

By default, OpenClaw reloads accumulated memory and workspace context on every run. As memory files grow, each new session inherits the full cost of everything that came before it.

Over time, even simple follow-up tasks become expensive.

Symptoms

• Token usage increases week over week

• Similar prompts cost more over time

• It’s unclear whether tokens are spent on reasoning or context loading

Solution: Make Token Usage Observable

Before token usage can be reduced, it has to be observable. The model-usage skill addresses this by exposing where tokens are actually spent across conversations and tools.

What it provides:

• Per-conversation token consumption

• Cost attribution by workflow or tool

• Exportable reports for tracking usage over time

Install:

Once enabled, the skill highlights which interactions consistently generate large context loads. If a specific workflow dominates token usage, teams can adjust how results are summarized, stored, or reused before they are written back into memory.

This does not reduce token usage directly, but it removes blind spots. Understanding where context growth originates is the prerequisite for any meaningful optimization.

Problem #2: The Agent Re-reads The Entire Codebase Every Session

Every coding query forces OpenClaw to re-read large portions of the project because it has no persistent architectural knowledge. A question like "How is authentication implemented?" triggers a full codebase scan, 50+ files read to piece together the answer, consuming 10,000+ tokens when only 300-500 tokens of relevant context matter.

The agent cannot distinguish between current and deprecated code. It cannot remember that the project uses JWT tokens with 24-hour expiration or that the auth logic is in src/middleware/auth.ts. A 1,000+ file project with 10 coding questions per day burns hundreds of thousands of tokens on redundant file reads.

Solution: Store Codebase Knowledge Once

The byterover skill creates a persistent memory layer for the codebase. Instead of re-reading files on every query, ByteRover stores architectural knowledge in an indexed structure that can be queried directly.

Install:

How it works:

ByteRover operates like version control for context. Knowledge gets stored once and then retrieved as needed.

"Store this authentication middleware pattern using ByteRover"

ByteRover saves it to the persistent memory layer with metadata: file paths, dependencies, and implementation patterns. Later, when someone asks "How is auth implemented?", ByteRover retrieves the exact context without re-scanning the codebase

"How is auth implemented in my project? Use ByteRover"

For teams, brv pull syncs architectural decisions from the shared workspace, reducing the context tax when teammates take over tasks.

Problem #3: API Provider Costs Vary Widely

Most users configure Claude Opus or GPT-4 as their default model and apply it uniformly across all requests, from debugging to file operations. Claude Opus costs $5.00 per million input tokens, while Haiku costs $1.00 per million.

If 70% of queries could run on Haiku without quality degradation, the monthly overspend would reach hundreds of dollars.

Solution: Automatic Model Routing

The save-money skill routes requests based on task complexity. Simple queries route to Haiku ($1 per 1M tokens), moderate tasks use Sonnet ($3 per 1M tokens), and only deep reasoning receives Opus ($5 per 1M tokens).

Install:

How it works:

The skill analyzes each incoming request and determines task complexity. Simple queries route to Haiku or local models. Moderate complexity tasks use Sonnet. Only complex reasoning that genuinely needs premium capability gets Opus or GPT-4.

The skill evaluates task complexity and routes accordingly, prioritizing the cheapest model that won't degrade quality.

The skill also strips unnecessary context before routing, preventing premium rates from being applied to irrelevant conversation history.

Problem #4: Security Vulnerabilities

OpenClaw runs with significant system privileges: filesystem access, shell execution, and network requests. Without proper safeguards, this becomes a structural vulnerability.

Prompt injection is the primary threat. Real incidents include private SSH keys extracted in five minutes via email prompt injection, entire email inboxes (6,000+ emails) deleted through injected commands, and hundreds of exposed instances leaking API keys and OAuth tokens on Shodan. Matvey Kukuy, CEO of Archestra AI, demonstrated the attack live

Additional vulnerabilities include plaintext credential storage in config files and unrestricted filesystem access to sensitive directories like ~/.ssh and ~/.aws. If an attacker gains access through prompt injection, they harvest credentials and system files immediately.

Solution: Layered Security

Three mechanisms address these vulnerabilities: secure credential management, automated security audits, and explicit access controls.

Step 1: Secure Credential Management

The 1password skill integrates with 1Password's CLI. Credentials stay encrypted in the 1Password vault rather than stored in plaintext config files

Install:

The skill retrieves credentials from 1Password at runtime. When OpenClaw needs an API key, it queries 1Password, receives the credential through a secure channel, and uses it for that request. The credential never touches the filesystem in plaintext.

Setup:

# Install 1Password CLI
op --version

# Sign in once
op signin

# Reference credentials in conversations
"Get my AWS credentials from 1Password"

If an OpenClaw instance is compromised, attackers don't gain access to the 1Password vault. They'd need separate authentication.

Step 2: Run Security Audits

OpenClaw ships with a security audit tool that checks for common misconfigurations.

Run the audit:

# Basic scan
openclaw security audit

# Auto-fix common issues
openclaw security audit --fix

The audit checks gateway authentication exposure, browser control ports, filesystem permissions, and plaintext credentials in config files. Auto-fix applies recommended security settings automatically.

Run this audit weekly if the instance is continuously running. Configurations drift over time, especially after installing new skills that modify permissions.

Step 3: Configure Access Controls

Define what OpenClaw can access and what requires manual approval.

Configure in ~/.openclaw/openclaw.json:

json{
  "dm": {
    "policy": "pairing"
  },
  "workspace": {
    "paths": ["~/projects"],
  },
  "tools": {
    "policy": "allowlist",
    "allowlist": ["filesystem.read", "web.browse"

This configuration does three things:

1. DM policy set to "pairing" ensures only authenticated users can send commands.

2. Workspace paths restrict filesystem access to ~/projects, preventing access to ~/.ssh or ~/.aws.

3. Tool allowlist explicitly specifies which capabilities OpenClaw can use in this case, only file reading and web browsing.

This limits the blast radius of prompt injection. Even if an attacker successfully injects commands, those commands fail if they attempt restricted operations.

These three mechanisms work together. The 1Password skill prevents credential theft, security audits catch misconfigurations before they're exploited, and access controls limit what an attacker can do even if they bypass other defenses.

Problem #5: OpenClaw Stays Reactive by Default

OpenClaw waits to be asked before it does anything. Users check email, then ask it to summarize. They remember a task, then tell it to add a reminder. It never acts first.

It does support proactive behavior through its heartbeat mode, but it’s off by default and poorly surfaced. As a result, most users keep doing the remembering and checking themselves, while the agent waits for instructions instead of anticipating what matters.

The Solution: Enable Proactive Behavior

The proactive-agent skill turns on the heartbeat feature with safe defaults. OpenClaw wakes up periodically to check for things that need attention.

Install:

What it does:

The skill includes memory architecture with pre-compaction flush, so context from previous checks persists between heartbeats. OpenClaw remembers what it already communicated and doesn't repeat notifications.

It also uses reverse prompting, where the agent brings up ideas or suggestions that weren't explicitly requested

Configuration happens through conversation:

"Check my email every 30 minutes for urgent messages"
"Remind me about tasks due today at 9 AM"
"Surface ideas I mentioned but didn't act on"

The agent asks for confirmation before taking actions like sending emails or creating calendar events. It surfaces information proactively but waits for approval on anything that changes state.

Conclusion

Five skills transform OpenClaw from a reactive assistant to a production-ready system. Track costs with model-usage. Fix token waste with byterover. Route tasks efficiently with save-money. Lock down credentials with 1password and access controls. Enable autonomous behavior with a proactive agent.

Each skill addresses a structural issue, not a usage issue. The difference between expensive chaos and reliable operation is whether consts are measured, routing is optimized, credentials are secured, and autonomy is enabled.

For developers, ByteRover solves the token waste problem by building a memory layer teams can share. Learn more at byterover.dev or read the token reduction benchmark.