Skillv1.5.0

ClawScan security

Token Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 13, 2026, 1:10 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The package generally implements a simple quota checker that can help avoid 429s, but the SKILL.md claims many features (caching, duplicate detection, record_usage/record_429 APIs, etc.) that are not present in the code — the docs and runtime behavior are inconsistent.
Guidance: Summary of things to consider before installing: - The implementation and documentation disagree. SKILL.md promises caching, duplicate detection, record_usage/cache_response/record_429 helpers and richer behavior; the shipped script only provides TokenGuard.check_quota(...) and saves simple usage/request counters. If you rely on the advertised APIs they will fail. Ask the author for a matching release or updated code. - The script writes a state.json file (usage counters and timestamps) into the skill's base directory by default. This is normal for quota tracking but confirm the path is acceptable and writable in your environment if you care about where files are stored. - There are no network calls, no environment variables read, and no obvious exfiltration of prompts/responses in the code. That reduces risk, but the mismatch between docs and code is a functional risk: an agent expecting missing methods may error or behave unpredictably. - Recommended actions: (1) run the script in a sandboxed environment to verify behavior, (2) request a corrected SKILL.md or an updated script implementing the advertised features (or modify the agent to only call check_quota), and (3) inspect/monitor the created state.json while testing to ensure no sensitive data is written. If you need the advertised caching/duplicate-detection, do not deploy this version until those features are implemented.

Review Dimensions

Purpose & Capability: concernName/description imply a token/429 prevention engine and the included TokenGuard class does implement basic TPM/RPM checks and atomic state writes, which aligns with the stated purpose. However SKILL.md advertises multiple features (duplicate detection, response caching, 429 parser, record_usage/cache_response/record_429 methods, auto model fallback chains, etc.) that are not implemented in scripts/token_guard.py. That mismatch means the skill does not actually provide many of the advertised capabilities.
Instruction Scope: concernSKILL.md usage examples instruct callers to call guard.record_usage(...), guard.cache_response(...), guard.record_429(...), and other methods, but the code only exposes TokenGuard.check_quota(...) and no record/cache methods. The instructions therefore direct an agent/developer to call non-existent APIs, which will cause runtime errors or undefined behavior. The README also claims duplicate detection and caching, but the code does not store prompts or responses or implement duplicate blocking — so the runtime scope described is inaccurate.
Install Mechanism: okNo install spec is provided (instruction-only skill with a single script). No external downloads or package installs are required, which minimizes install-time risk.
Credentials: okThe skill requests no environment variables or credentials and the code does not read environment variables, secrets, or network endpoints. It does write a local state file but does not log prompt contents or responses, so credential or prompt exfiltration is not apparent.
Persistence & Privilege: noteTokenGuard writes a state.json file by default into a directory computed relative to the script (base_dir = two directories above the script). That creates persistent state on disk (usage counts, request counts, window_start). This is expected for quota tracking but you should note where files will be written and whether that location is writable or appropriate. always:false and no special privileges requested.