ClawHub

Token Pilot

Security checks across malware telemetry and agentic risk

Overview

Token Pilot is a disclosed token-saving skill, but it can persistently change all local agents and optionally move or delete workspace files, so it needs careful review before use.

Install only if you intentionally want this skill to affect all OpenClaw agents. Review the init preview, avoid --yes unless you want unattended bulk changes, run read-only audit modes before any --apply mode, back up workspace files before applying cleanup, and keep secrets or sensitive user data out of persistent memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The README presents the skill as token optimization/auditing, but the documented behavior includes persistent modification of every agent's AGENTS.md and optional recurring cron execution. That is a broader and more invasive capability than users would reasonably infer from the description, creating a scope-transparency problem and increasing the chance of unintended persistent behavioral changes across the workspace.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Writing optimization rules into all agents' AGENTS.md files gives the skill persistent control over agent behavior well beyond passive token analysis. Because AGENTS.md influences future sessions, this acts as a durable policy injection mechanism across the environment, which materially increases risk if the rules are wrong, overbroad, or later abused.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Documenting an optimize script with '--apply automatic workspace repair' introduces workspace mutation capability that exceeds a narrowly described audit/optimization role. Automatic repair can change files in ways users did not anticipate from the skill description, especially if triggered through agent assistance or automation.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill frames itself as an optimizer/auditor, but the documented workflow includes modifying all agents' AGENTS.md and auto-fixing workspace files. That is risky because audit-like language lowers operator suspicion while the actual behavior introduces persistent configuration drift and potentially destructive changes.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The initialization flow is designed to propagate broad behavioral rules into all agents' AGENTS.md files, which is a form of persistent cross-agent policy injection. In context, this is more dangerous than ordinary optimization advice because it changes the baseline behavior of multiple agents at session start and can affect future tasks well beyond token usage.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script is designed to persistently modify every agent's AGENTS.md so that token-pilot rules auto-apply across future sessions. That is far broader than an on-demand token optimization helper and creates a cross-agent policy injection mechanism that can alter agent behavior globally without tight scoping to a specific task.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The execution phase loops over all agents under the workspace and creates or rewrites each AGENTS.md, enabling mass cross-agent configuration changes. In the context of a token-usage optimization skill, this capability is excessive and dangerous because it provides a broad persistence and propagation channel that could be repurposed to modify behavior platform-wide.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The --yes flag allows unattended execution that skips user confirmation before mass-modifying agent configuration files. While common in automation, combining non-interactive mode with persistent cross-agent rewrites increases the chance of silent, large-scale behavioral changes and reduces the user's opportunity to notice or stop them.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata says it performs automatic token optimization during interaction, but this script actually performs standalone maintenance over local OpenClaw state and user workspaces, including renaming files and deleting BOOTSTRAP.md when --apply is used. That scope mismatch is security-relevant because users may grant trust based on the manifest while the code has broader filesystem side effects.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The header says --apply performs 'workspace cleanup only', but the implementation also permanently deletes BOOTSTRAP.md. Misrepresenting destructive behavior undermines informed consent and can cause unintended loss of setup or audit information if users rely on the comment/usage text.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match ordinary discussion about token usage, optimization, or cost, which can cause unintended skill activation. In this skill, accidental activation is more dangerous because activation can lead to persistent initialization flows and agent-wide rule injection, not just harmless advice.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README states that mentioning token, optimization, consumption, or cost loads the full skill, but this scope is ambiguous and very broad. Since full-skill loading enables additional behavior and guidance that can influence tool use and workspace changes, ambiguous activation increases the risk of unintended execution paths.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad enough to overlap with normal conversation such as 'start work' or generic task requests, causing the skill to activate unexpectedly before a user intended to invoke token tooling. Because the skill can then prompt for initialization and diagnostics, over-broad activation increases the chance of unnecessary shell/script execution and privilege expansion during unrelated tasks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
In auto-fix mode the script renames multiple files in the user's workspace root into scripts/ with no execution-time confirmation, preview, rollback, or conflict handling. Automated file moves can break workflows, tooling assumptions, imports, or user organization, especially because extensions like .js, .cmd, .bat, and .ps1 may be intentional top-level project files rather than 'junk'.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script deletes BOOTSTRAP.md automatically under --apply without a dedicated confirmation, backup, or validation that the file is truly obsolete. Because BOOTSTRAP.md may contain installation, provenance, or recovery instructions, silent deletion can cause irreversible data loss and weakens user control over local state.

Session Persistence

Medium
Category
Rogue Agent
Content
无依赖的工具调用合并为一个 block 同时发出(read A + read B + read C,不分三次)。工具结果超过500字符只提取相关部分,不整体回显。

### 写文件
改动 <30% 时用 edit,不用 write 全覆盖。输出只展示变更行 ±2 行上下文,不贴完整文件。

### Prompt Cache 保护
SOUL.md / AGENTS.md 内容保持稳定,不加时间戳、session id 等每次变化的字段。动态内容(工具结果、memory_search 注入)放后面,不穿插进固定内容中。高频固定事实写进 SOUL.md 或 MEMORY.md 顶部,不靠每次语义搜索命中。
Confidence
85% confidence
Finding
write 全覆盖。输出只展示变更行 ±2 行上下文,不贴完整文件。 ### Prompt Cache 保护 SOUL.md / AGENTS.md 内容保持稳定,不加时间戳、session id 等每次变化的字段。动态内容(工具结果、memory_search 注入)放后面,不穿插进固定内容中。高频固定事实写进 SOUL.md 或 MEMORY.md 顶部,不靠每次语义搜索命中。 ### 动

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal