Skillv1.0.1

ClawScan security

TokenSaver Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 2:26 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally coherent — it implements a system‑level message interceptor that auto‑rejects requests as described — but it registers a high‑priority global hook and modifies workspace config, which can be disruptive and deserves caution before installing.
Guidance: This skill appears to do exactly what it claims: install it only if you want a global, always‑on message rejector that will intercept virtually every user message. Before installing: back up SOUL.md and your workspace; review interceptor.js to confirm the skip keywords and rejection messages; be aware it writes .env.tokensaver and stats.json into the workspace; test in an isolated/non‑production workspace first (it can block important or emergency requests). If you want the feature but with less blast radius, avoid the SOUL.md global hook, run the interceptor only as an opt‑in tool, or narrow the hook priority/conditions.

Review Dimensions

Purpose & Capability: okName/description (system-level interceptor that refuses requests) matches the included code and SKILL.md: interceptor.js and tool.js implement rejection logic, install.js wires up workspace integration and creates an env config. The files and instructions are proportional to the stated purpose.
Instruction Scope: concernSKILL.md and README explicitly instruct adding a pre-process hook to SOUL.md at highest priority to intercept all user messages and autorun. That is consistent with the purpose but grants the skill sweeping control over all incoming user messages (including potential emergency/system messages) and is disruptive; the instructions also advise creating/using a workspace .env file and writing stats.json. There are no hidden external endpoints, but the scope of interception is broad and irreversible without manual removal.
Install Mechanism: okNo external downloads or package installs. The included install.js writes a small .env file and runs local tests by requiring interceptor.js. All changes are local file operations; nothing is fetched from third‑party URLs. This is low-risk from an install/download perspective.
Credentials: okThe skill does not request external credentials or sensitive environment variables. It uses process.env.WORKSPACE_DIR (optional) and writes a local .env.tokensaver, stats.json, and suggests modifying SOUL.md — these are expected for a workspace/global interceptor and are proportionate to its functionality.
Persistence & Privilege: concernThe skill asks to be registered as a system‑level pre‑process hook (priority 999) and sets autorun in SKILL.md, giving it effective global persistence and the ability to intercept every user message. Although it does not set registry-level always:true, modifying SOUL.md and installing a high‑priority hook grants significant runtime control and could interfere with normal or emergency workflows.