AllToken
PassAudited by ClawScan on May 13, 2026.
Overview
The visible artifacts look like a normal AllToken bootstrap recipe, but using it will create project files, install packages, use an AllToken API key, and send requests to AllToken.
This appears safe to install as an instruction-only bootstrap skill if you intend to build an AllToken project. Before using it, choose the target directory carefully, keep ALLTOKEN_API_KEY out of source control, review npm dependencies, and remember that smoke tests and generated apps may spend credits and send prompts to AllToken.
Publisher note
Calls api.alltoken.ai only (Bearer $ALLTOKEN_API_KEY). No eval/exec/shell.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running the generated project with this key can make AllToken API calls and spend associated credits.
The skill uses a provider API key to authenticate to AllToken. This is expected for the integration, but it is a sensitive credential and can consume account credits.
**Auth header:** `Authorization: Bearer $ALLTOKEN_API_KEY`
Use a revocable AllToken key from the environment only, avoid committing it, and confirm the account/billing scope before running smoke tests or generated apps.
The generated project will depend on packages downloaded from npm at install time.
The bootstrap flow installs third-party npm dependencies without pinned versions. This is normal for a scaffolding recipe, but it introduces standard package supply-chain exposure.
npm install openai zod eventemitter3 npm install ink react # optional: TUI only npm install -D typescript @types/react tsx
Review dependencies, generate and keep a lockfile, and pin versions if reproducibility or stricter supply-chain control is important.
Prompts, tool requests, and media-generation inputs sent through the generated client will leave the local environment for AllToken's service.
The generated client is designed to send chat, image, video, and model-discovery requests to AllToken's API. The destination is clearly disclosed and matches the skill purpose.
**Base URL:** `https://api.alltoken.ai/v1`
Do not send secrets or private data unless you intend to share them with AllToken under its service terms.