Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
토큰세이버 (한국어)
v1.0.0한국어 Context DB로 AI 토큰 사용량을 최대 96% 절감하는 프롬프트 최적화 및 메모리 검색 도구입니다.
⭐ 0· 77·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's code, SKILL.md, endpoints.json, and openclaw.skill.json all describe a remote memory/search API (api.tokensaver.ai) for reducing token usage; that matches the declared purpose. However, the package requires an API key to operate (TOKENSAVER_API_KEY or constructor param) but the registry metadata lists no required environment variables or primary credential. The absence of a declared credential in the registry is an incoherence.
Instruction Scope
SKILL.md instructs installing a pip package and using an API key from tokensaver.ai; the included Python code performs POST/GET requests to api.tokensaver.ai to save/search memories. That behavior is inside the stated scope (remote memory service). Note that all content saved by users will be transmitted to an external endpoint (tokensaver.ai) — expected for this service but important to surface.
Install Mechanism
There is no platform install spec (instruction-only skill), but SKILL.md tells users to pip install token-saver. The bundle also contains a local script entry (scripts/token_saver.py). This is not high-risk by itself, but you should verify the PyPI package identity (if you choose to pip install) and the origin of the included code. No downloads from unknown URLs or obfuscated installers were found.
Credentials
The Python code requires an API key (constructor or TOKENSAVER_API_KEY environment variable) and uses it as a Bearer token to call the external API. The registry metadata declares no required env vars or primary credential — a clear mismatch. The skill will not function without that secret, and the secret is used to authorize remote storage of user content; this should have been declared explicitly.
Persistence & Privilege
The skill does not request always:true and does not claim any special persistent system privileges. It does not modify other skills or system configs. Normal autonomous invocation is allowed by default.
What to consider before installing
Before installing: (1) Understand that this skill will send any saved content to api.tokensaver.ai — do not store sensitive secrets or private data there unless you trust the service and reviewed its privacy policy. (2) The packaged code requires an API key (TOKENSAVER_API_KEY or passing api_key) but the registry omitted that requirement — expect to provide a secret. (3) Verify the service/domain (https://tokensaver.ai) and the PyPI package identity if you plan to pip install; confirm pricing/limits and data retention. (4) If you need local-only token reduction, prefer tools that run entirely offline; otherwise limit what you save and rotate the API key regularly. (5) If you want higher assurance, ask the publisher for a homepage, privacy policy, and proof of ownership (repository or package listing) and request that the registry metadata be corrected to declare the required credential.Like a lobster shell, security has layers — review code before you run it.
aivk97ac0vypsf4fhmpzwx38w9z6983h7cdkoreanvk97ac0vypsf4fhmpzwx38w9z6983h7cdlatestvk97ac0vypsf4fhmpzwx38w9z6983h7cdtoken-optimizationvk97ac0vypsf4fhmpzwx38w9z6983h7cd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.