AllToken
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running the generated project with this key can make AllToken API calls and spend associated credits.
The skill uses a provider API key to authenticate to AllToken. This is expected for the integration, but it is a sensitive credential and can consume account credits.
**Auth header:** `Authorization: Bearer $ALLTOKEN_API_KEY`
Use a revocable AllToken key from the environment only, avoid committing it, and confirm the account/billing scope before running smoke tests or generated apps.
The generated project will depend on packages downloaded from npm at install time.
The bootstrap flow installs third-party npm dependencies without pinned versions. This is normal for a scaffolding recipe, but it introduces standard package supply-chain exposure.
npm install openai zod eventemitter3 npm install ink react # optional: TUI only npm install -D typescript @types/react tsx
Review dependencies, generate and keep a lockfile, and pin versions if reproducibility or stricter supply-chain control is important.
Prompts, tool requests, and media-generation inputs sent through the generated client will leave the local environment for AllToken's service.
The generated client is designed to send chat, image, video, and model-discovery requests to AllToken's API. The destination is clearly disclosed and matches the skill purpose.
**Base URL:** `https://api.alltoken.ai/v1`
Do not send secrets or private data unless you intend to share them with AllToken under its service terms.