Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI 토큰세이버
v1.1.0한국어 특화 Context DB로 AI 토큰 사용량을 최대 96% 절감하며 프롬프트를 최적화하고 메모리 검색을 지원합니다.
⭐ 0· 75·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description claim a Context DB for token savings and the bundled Python client (scripts/token_saver.py) implements exactly that (save/search/list/usage against https://api.tokensaver.ai). So capability matches purpose. However, registry metadata declared no required environment variables/credentials while the client requires an API key (constructor or TOKENSAVER_API_KEY). That omission is inconsistent.
Instruction Scope
SKILL.md examples show using the TokenSaver client and indicate obtaining an API key from https://tokensaver.ai; runtime instructions and the client perform HTTP requests to the service endpoints listed in data/endpoints.json. The instructions do not direct the agent to read unrelated local files or other credentials. They do, however, recommend 'pip install token-saver' (see install section) which is an external action outside the included code and not represented in the skill metadata.
Install Mechanism
There is no install spec in the skill bundle (instruction-only), but SKILL.md instructs users to run 'pip install token-saver'. The repository already includes a client script, so recommending pip may cause users to install an external PyPI package which might differ (typo‑squatting risk) or execute unrelated code. Lack of an explicit, verifiable install/source for that package is a risk.
Credentials
The Python client requires an API key (constructor param or TOKENSAVER_API_KEY env var) and will send stored content to https://api.tokensaver.ai. The skill metadata declares no required env vars/primary credential — an inconsistency. Requiring a single service API key is proportionate to the stated purpose, but the omission in metadata and the fact that user-provided content is transmitted to an external service are notable privacy/security considerations.
Persistence & Privilege
The skill is not 'always: true' and does not request system-wide persistence or modify other skills. It behaves as a normal client that makes network calls to its API endpoints.
What to consider before installing
Before installing or using this skill, consider the following: 1) The included Python client requires an API key (TOKENSAVER_API_KEY or passed to TokenSaver), but the skill metadata does not declare that — do not supply secrets until you verify the service and key issuance process. 2) SKILL.md tells you to 'pip install token-saver' even though the bundle contains a client script; verify the PyPI package name and publisher (tokensaver.ai maker) before running pip to avoid typo‑squatting. 3) This skill sends whatever you save to an external API (tokensaver.ai). Do not send passwords, private keys, or other sensitive data to the service until you confirm its privacy policy, retention practices, and TLS/certificate legitimacy. 4) If you want to test safely, run the included script in an isolated environment (container or VM) and inspect network calls (e.g., with a proxy) before giving real data. 5) If you need to proceed, prefer providing an API key with limited scope or a throwaway account, and confirm the domain and package ownership independently (domain WHOIS / PyPI maintainer).Like a lobster shell, security has layers — review code before you run it.
aivk97a8sngmm1w51qnar10p9ap5x83g706koreanvk97a8sngmm1w51qnar10p9ap5x83g706latestvk97b2sx3fka763s5jkb09ssgdx83g5gfoptimizationvk97a8sngmm1w51qnar10p9ap5x83g706tokenvk97a8sngmm1w51qnar10p9ap5x83g706
License
MIT-0
Free to use, modify, and redistribute. No attribution required.